Antivirus experts recommend updating signatures and other mitigations to protect against a Trojan that uses a seemingly safe password-protected zip file to deliver its payload.
Experts aren't in agreement on naming conventions and call it: Troj/Tofger.A, MultiDropper.GP.A, TrojanDropper.JS.Mimail.B and Trojan.Sefex. It logs keystrokes and sends them to a remote location on an active Internet connection. It runs automatically when Windows starts by modifying system.exe file, registry entries and other settings.
The Trojan arrives via e-mail with a blank subject, a password-protected MyProfile.zip attachment, and includes the password in the message body. The zip attachment
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
flies under the radar of most antivirus software, and
an unsuspecting user inputs the password to open the zip file. Inside is
an HTML file (Profile.html), which in turn drops the payload (dating.exe,
or something equally enticing).
While this Trojan doesn't self-replicate, it propagates through e-mail, IRC, peer-to-peer sharing and other delivery methods. To mitigate the problem, change compromised passwords, edit the target registry entry or delete Windows files. You can also disable HTML e-mail, either filtering at the perimeter or at the client.