Sunday, 29 April 2007

Greeting Card

Here's a slightly odd greeting card currently detected as: Email.Malware.Sanesecurity.07030201

It doesn't look anything special to look at... but wait... what's this.... oh look, it's a username/password ftp link to download a normally nasty .pif file:















So, it loads the Zapchast trojan, as can be seen from some VirusTotal results:













Now, let's look at the live FTP site, you can see from the screen grab, the .pif file containing the trojan. Hmmm.... there seems to be other folders there too:










Hang on... that's an Italian Bank name!












Let's see what it looks like in FireFox (with NoScript plugin enabled).

Yup, I'ts a Posteitaliane bank fraud page, just waiting to capture your details:

No comments: