Password-protected Trojan slides under antivirus scans

Edmund X. DeJesus, Information Security magazine Contributor

Antivirus experts recommend updating signatures and other mitigations to protect against a Trojan that uses a seemingly safe password-protected zip file to deliver its payload.

Experts aren't in agreement on naming conventions and call it: Troj/Tofger.A, MultiDropper.GP.A, TrojanDropper.JS.Mimail.B and Trojan.Sefex. It logs keystrokes and sends them to a remote location on an active Internet connection. It runs automatically when Windows starts by modifying system.exe file, registry entries and other settings.

The Trojan arrives via e-mail with a blank subject, a password-protected attachment, and includes the password in the message body. The zip attachment

    Requires Free Membership to View

flies under the radar of most antivirus software, and an unsuspecting user inputs the password to open the zip file. Inside is an HTML file (Profile.html), which in turn drops the payload (dating.exe, or something equally enticing).

While this Trojan doesn't self-replicate, it propagates through e-mail, IRC, peer-to-peer sharing and other delivery methods. To mitigate the problem, change compromised passwords, edit the target registry entry or delete Windows files. You can also disable HTML e-mail, either filtering at the perimeter or at the client.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: