[oagitm] FW: Security BULLETIN: SPAM E-mail Messages with the subject "DPRK has carried out nuclear missile attack on Japan"
- From: "MASSE Theresa A * EISPD ESO" <theresa.a.masse@xxxxxxxxxxx>
- To: <oagitm@xxxxxxxxxxxxx>
- Date: Fri, 5 Mar 2010 14:26:02 -0800
OAGITM Members:
I thought you might be interested in this bulletin!
Regards,
Theresa A. Masse
State Chief Information Security Officer
State of Oregon
Department of Administrative Services
Enterprise Security Office
(503) 378-4896
________________________________
From: Duffy, Thomas (CSCIC) [mailto:Thomas.Duffy@xxxxxxxxxxxxxxxxx] On
Behalf Of Pelgrin, William (CSCIC)
Sent: Friday, March 05, 2010 2:13 PM
To: Pelgrin, William (CSCIC)
Subject: MS-ISAC INFORMATION BULLETIN: SPAM E-mail Messages with the
subject "DPRK has carried out nuclear missile attack on Japan"
Importance: High
MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER SECURITY
INFORMATION BULLETIN
DATE ISSUED: March 5, 2010
SUBJECT: SPAM E-mail Messages with the subject "DPRK has carried out
nuclear missile attack on Japan"
On March 5, 2010, it was reported that SPAM email messages are being
distributed with the subject "DPRK has carried out nuclear missile
attack on Japan". The email contains the following link:
hxxp://dnicenter.com/docs/report.zip. DO NOT DOWNLOAD THIS FILE!
It should be noted that the zip file actually contains an executable
named "report.exe" which is the installer for the Zeus Trojan. Once
executed, the Zeus Trojan sets the following registry key:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon "userinit" =
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe"
The malicious code then creates the 'wsnpoem' folder in
'C:\WINDOWS\system32\' and creates a file 'audio.dll' in the folder.
Audio.dll contains the captured key logger information. The malware is
also known to inject itself into winlogon.exe, smss.exe, services.exe,
and svchost.exe.
Please see the attached file as it contains an example of the message
purporting to be sent from a government agency.
We recommend blocking access to hxxp://dnicenter.com.
If you believe you have received a message of this nature, please notify
your Information Security Officer (ISO) immediately.
MS-ISAC
30 South Pearl Street, Suite P2
Albany, NY 12207
(518) 474-0865
7x24 CSAC 1-866-787-4722
________________________________
This message may contain confidential information and is intended only
for the individual(s) named. If you are not an intended recipient you
are not authorized to disseminate, distribute or copy this e-mail.
Please notify the sender immediately if you have received this e-mail by
mistake and delete this e-mail from your system.
Other related posts:
- » [oagitm] FW: Security BULLETIN: SPAM E-mail Messages with the subject "DPRK has carried out nuclear missile attack on Japan" - MASSE Theresa A * EISPD ESO
