Below mail landed in my mailbox today with an attachment DHL_Tracking_NR.324-492383.zip, as curious user i went to check it
Subject: DHL Tracking number #1488883
Date: Tue, May 24, 2010 10:09 am
We were not able to deliver postal package you sent on the 22nd May in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our
Your personal manager: Dolly Gibson,
Customer Service: 1-800-CALL-DHL
DHL International, Ltd. All Rights Reserved.
When extracted a file DHL_Tracking_NR.324-492383.DOC.exe was present. Once this file was opened it dropped in the system
[Current Profile Folder]Local SettingsTemp3.tmp
In registry it added
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell: “Explorer.exe rundll32.exe pgsb.lto csxyfxr”
It tried to connect to remote system, to download other trojan on the system. After few minutes the system started showing fake messages and eventually a fake antivirus program got installed.
We have released protection against this fake AV/ Rogueware which is detected as Securityessentials2010.