Spreading malware via email has always been so effective, that it is still widely used by bad guys. As you may know, there were times when email worms like MyDoom, Brontok, etc. infected millions of computers worldwide. Nevertheless, due to efforts of security agencies and antivirus vendors to warn users, the attachment of virus onto emails is becoming less effective than it used to be. Users are now more watchful towards emails with attachments from unknown origins, pay more attention to files’ extensions despite how similar their icons may be. This has forced bad guys to change their methods.

One of the considerable new methods is to exploit RLO (Right to Left Override) to hide the files’ extensions so that users will think they are safe files.

What is the nature of this issue? With right to left languages such as Arabic or Hebrew, Microsoft supports the reserve display of a character set through the insertion of a code (U+202E) onto the beginning of that set. Let’s see the example of a file named XXXcod.exe. After U+202E is inserted before the character “c”, the file will be displayed as XXXexe.doc. In this case, if the bad guy cloaks his file with a .doc file’s icon, will you have a fleeting doubt or immediately open the file?

This is indeed a virus’ executable file.

It can be seen that this is quite a sophisticated technique, even experts might be cheated if they do not pay proper attention. To protect your computer, you should examine the files’ attributes before running them. If a file is specified to be an executable one (.exe, .scr, .pif, etc.) but displayed with another extension, it is a virus.

In a simpler way, you can run the files in Sandbox to ensure the safety for your computer. The best is to use a licensed antivirus program to have a comprehensive protection against viruses.

Phạm Tuấn Vũ – Bkav R&D

Recently, users in many businesses’ networks find they suddenly cannot access any websites. Instead, they see a request to update their browsers.

On clicking “Bowser update”, a “program” is supposed to be downloaded to “update” users’ browsers.

This is indeed a virus.

LANs with such problems all have at least 1 computer infected with W32. Gatpaz.Worm. This virus imitates DHCP server, sends configuration information to clients to replace their DNS addresses with hacker’s server. Then, when the infected computers attempt to connect to the Internet, users will be redirected to phishing websites crafted by hacker.
Only LANs using DHCP Server for dynamic IP address assignment are affected.

In this IP address assignment model, each LAN is equipped with one DHCP server which is in charge of managing and assigning IPs to its clients. When a certain client needs an IP address to connect to the Internet, it broadcasts a message saying DHCPDISCOVER across the network. Upon receiving the message, DHCP server will process and allocate the client an IP address. The broadcasting process is where hacker exploits to build a fake DHCP server, provided Gatpaz has been successfully installed on any client of the network. Besides allocating IP address to the client, the fake DHCP Server changes the client’s DNS Server into hacker’s one. The hacker then gets the total control of users’ accessing websites.

To completely solve such phenomenon that viruses destroy businesses’ networks, Bkav recommends that a comprehensive enterprise antivirus solution be employed.

Analyst: Ngo Anh Huy – Bkav R&D

After the blog entry of spam emails impersonating FBI to distribute W32.FakeFBIVariantovLT.Trojan, we have discovered a new fraud software distribution stratagem which uses spam email faking New York State Police. The email, sent from email address at domain name nyc.gov, informs of receiver’s over-speeding at 7:25 am July 5. Following is the request that the receiver prints out the enclosed ticket and sends it to the court in case he wants to plead.

The receiver may even not have been in New York at the mentioned time. He still opens the attachment file due to his desire to plead or just for his curiosity. When being extracted, this file appears with the icon of a PDF file. This is actually a trojan. Once run, this trojan will connect to different addresses and download many other malwares, which lowers the security level of the system.
One of the downloaded malwares is detected as W32.FakeHddRepair.Trojan by Bkav.
Like FakeFBIVariantovLT.Trojan, FakeHddRepair.Trojan constantly displays notifications of hard drive errors:

The fake HDD Repair program interface appears, scans and points out hard drive errors. Accordingly, users need to activate the software to fix these errors.

This fraud scenario is quite familiar: warning users of unreal serious errors in system, offering program interface to fix those errors, of course users have to pay for the license of the software. Once there are important data on their computers, many people will accept to pay an amount to “recover” those data. However, for the most effectiveness and comprehensiveness, users are recommended to use licensed antivirus software with regular virus definition updates.

Nguyen Hung Phu

Malware researcher