OAGITM Members: I thought you might be interested in this bulletin! Regards, Theresa A. Masse State Chief Information Security Officer State of Oregon Department of Administrative Services Enterprise Security Office (503) 378-4896 ________________________________ From: Duffy, Thomas (CSCIC) [mailto:Thomas.Duffy@xxxxxxxxxxxxxxxxx] On Behalf Of Pelgrin, William (CSCIC) Sent: Friday, March 05, 2010 2:13 PM To: Pelgrin, William (CSCIC) Subject: MS-ISAC INFORMATION BULLETIN: SPAM E-mail Messages with the subject "DPRK has carried out nuclear missile attack on Japan" Importance: High MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER SECURITY INFORMATION BULLETIN DATE ISSUED: March 5, 2010 SUBJECT: SPAM E-mail Messages with the subject "DPRK has carried out nuclear missile attack on Japan" On March 5, 2010, it was reported that SPAM email messages are being distributed with the subject "DPRK has carried out nuclear missile attack on Japan". The email contains the following link: hxxp://dnicenter.com/docs/report.zip. DO NOT DOWNLOAD THIS FILE! It should be noted that the zip file actually contains an executable named "report.exe" which is the installer for the Zeus Trojan. Once executed, the Zeus Trojan sets the following registry key: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "userinit" = C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe" The malicious code then creates the 'wsnpoem' folder in 'C:\WINDOWS\system32\' and creates a file 'audio.dll' in the folder. Audio.dll contains the captured key logger information. The malware is also known to inject itself into winlogon.exe, smss.exe, services.exe, and svchost.exe. Please see the attached file as it contains an example of the message purporting to be sent from a government agency. We recommend blocking access to hxxp://dnicenter.com. If you believe you have received a message of this nature, please notify your Information Security Officer (ISO) immediately. MS-ISAC 30 South Pearl Street, Suite P2 Albany, NY 12207 (518) 474-0865 7x24 CSAC 1-866-787-4722 ________________________________ This message may contain confidential information and is intended only for the individual(s) named. If you are not an intended recipient you are not authorized to disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this e-mail by mistake and delete this e-mail from your system.