Monday, April 30, 2012

Fake remote assist popup... from an email

Saw an interesting one today. User reported that every time he opened a particular mail, he got a fake remote assistance popup, that featured one of our support analysts network IDs in the dialogue box text, even though said analyst wasn't attempting to connect to his PC. Unfortunately, he deleted the email... but we are working to recover it now. I suspect it contains some javascript that examines the remote assist logs for the usernames of previous genuine helpers, and uses this in the popup box dialogue.

Wednesday, April 25, 2012

M0rPheuS.tpl

M0rPheuS.tpl

We have recently been targeted with a rather nifty .tpl script that uses the mshta executable to change the file attributes to hidden of a users personal folders, along with the files and folders of any mapped drives they have access to. The .tpl script then creates a shortcut with a link to C:\WINDOWS\system32\cmd.exe /c START mshta.exe "%cd%M0rPheuS.tpl in the shortcut path, which will of course execute on a victims machine, spreading the "infection" out further onto their mapped drives. Example compromised shortcut:

C:\WINDOWS\system32\cmd.exe /c START mshta.exe "%cd%M0rPheuS.tpl?reload=1335348216873" & start %windir%\explorer.exe "%cd%FOLDER_NAME_GOES_HERE"   

To clean infected drives, simply remove the M0rPheuS.tpl file, del *.lnk (of course, this will remove all shortcuts... good and bad) and then attrib -h /D /S.

I'm amazed at how quickly and effectively this thing spreads, from what is in effect a simple bit of scripting.