Summary

This is a Visual Basic Script trojan that has been spammed as "Men & Women.html".

Additional Details

Part of the code is encrypted and decrypts on the fly. If a user open this file Chango first checks the Visual Basic Script version. If it is more than 4 then it creates two files: "C:\WINDOWS\LOGOS.SYS" and "C:\WINDOWS\LOGOW.SYS". Those files are scriptlet objects and contain the string "TROJAN.Chango".

After that the trojan attempts to create in the Windows startup directory of English, Spanish and Portuguese environments the file "TROJAN.CHANGO.HTM".

Further every time the a system is rebooted it will run the IE and open "TROJAN.CHANGO.HTM" that looks like:

Chango doesn't contain any destructive payload.

[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]