Date: Thu, 23 May 2013 07:08:43 +0200
- Malware alert
Nabload.DLU Trojan, Renus2008 adware and MSNworm.FZ worm
Nabload.DLU passes itself off as a funny video to trick users while downloading another malicious code to the target computer in order to
steal online banking details. The process is as follows:
The Trojan reaches the targeted computer as a greetings video. When the
user opens the file, the Trojan loads a funny video from the Internet,
while simultaneously downloading another malicious code: Banker.LRX.
This malware is designed to steal login credentials for several online
You can watch a video showing what the targeted user would see while
being infected: http://www.youtube.com/watch?v=OaQhFhVX6yI
Nabload.DLU also modifies the Windows Registry in order to activate
every time the user restarts the computer. This way, it ensures it is always active on the system.
Renus2008 is a fake antivirus type of adware. Once run, it shows a screen simulating a computer scan. The malicious code gives the possibility of performing a quick or an in-depth scan of the computer. Also, users can configure different aspects of the fake antivirus as if it was a real one (see image here: )
Once the fake scan finishes, a warning message is displayed indicating that some infected files have been found on the system. However, these files do not exist.
Users are offered the option to disinfect their computers through the
“Remove Viruses” button on the scan screen. If they do so, a window is
displayed inviting them to register and buy the paid version of the fake
antivirus (see image here: )
“If the user buys the paid version, they are paying for a product that actually does nothing and which, in some cases can’t even be downloaded”, explains Luis Corrons, Technical Director of PandaLabs. “This is one more example of how cyber-crooks try to trick users in order to get their money”.
MSNworm.FZ is a worm that spreads by using the instant messaging program MSN Messenger. It attaches itself to messages passing itself off as a
picture file, and sends itself to the victim’s contact list.
To trick users, once run it shows an error message indicating that the “picture can not be displayed”.
The worm also modifies the Microsoft Internet Explorer home page and
creates a key in the Windows Registry to ensure it is run every time the
session is started.