Australia's Leading Computer Emergency Response Team

Hi! I'm not sure if you remember me ... but I have a trojan for you
Date: 11 October 2007
Original URL: http://www.auscert.org.au/render.html?cid=7066&it=8181


There has been a recent spam run for (yet another) trojan looking like:


---BEGIN EMAIL---

From: "Anne"
Subject: Hi.

Hi! I'm not sure if you remember me..

I'm Ann Berns, I guess we went to high school together.

It was quite a while ago but I still remember our friendship.

Do you remember that walk after classes? It was really cool!

And them my parents moved to another town and I had to leave with them...

What a bugger it was to start in another school, with no friends around.

I felt very lonely in the beginning, until half a year or so later, when I made new friends.

But this is another story. But I still think about you sometimes, all that fun, all whispering

chats during classes. Do you want to see what I look like now?

Visit my home page then, it's at http://annberns.com

---END EMAIL---

The "come-and-look-at-pictures-of-me" line is quite a popular hook but what is more interesting about this is the use of the word "bugger" in the message. This is a fairly Australian colloquialism and usually not in common usage outside of Australia, the United Kingdom and New Zealand.

The above link goes to one of these (and there are possibly more) sites:

innomax-staff.biz
stop-the-slaughter.net
substance-of-way.com

These sites then render the following code containing frames that would push the victim to the actual trojan-hosting site:

<head><title>Ann Berns Homepage</title>
</head>
<frameset rows="100%,*">
<frame title="http://nursing.pe.kr/anne/anne.htm" src="http://nursing.pe.kr/anne/anne.htm" 
name="mainframe" frameborder="0" noresize="noresize" scrolling="auto">
<frame title="empty frame" frameborder="0" scrolling="no" noresize="noresize">
<noframes>Sorry, you don"t appear to have frame support.
Go here instead - <a href="http://nursing.pe.kr/anne/anne.htm">Ann Berns Homepage</a></noframes>
</frameset>


So then the victim (hopefully not anyone reading this) arrives at:

nursing.pe.kr/anne/anne.htm

This site performs browser detection so an IE user-agent, like Mozilla 5.5(MSIE 7.0; WinXp SP2), is required to be infected. Then you get to "Anne's" homepage:

Trojan Anne

Clicking the photo and the link both return the file foto_archiv.exe and, at the time of this blog, AV detection for this malicious code is quite low. Definitely worth checking mail and proxy logs for this email or the above links.

- Matthew McGlashan