NEWS FROM THE LAB - Monday, November 26, 2007

My Egyptian Vacation Posted by Mikko @ 11:32 GMT

No, we haven't visited Egypt. But we're seeing a malware distribution run using a unique lure.

First, you get an e-mail like this from "Anita":

E-Mail with ZIP attachment

The ZIP contains these files:

Egyptian Pictures

How nice, Anita has even included an image viewer for us so we can take a look at her photos.

However, if you run viewer_img.exe, you'll get just an empty Paintbrush window:

Russian Paint

Of course, this is just a bluff. In the background it's dropping and executing a variant of the LdPinch data-stealing trojan.

Let's see. It loads up a Russian version of pbrush.exe. The images are named "egipet.jpg" — Egipet is the Russian spelling of Egypt. And LdPinch is Russian malware. So this attack is probably (we're guessing) coming from … Denmark!