Websense® Security Labs™ has discovered a new Trojan Horse / DNS
October 2007 by Websense
Websense® Security Labs™ has discovered a new Trojan Horse / DNS redirector being distributed via email with URL lures. The email message, which is in HTML and is written in Spanish, and attempts to lure users click on a link in order to join the Samsung Fan Club.
The subject roughly translates to : "Get more for less" (screenshot below).
Assuming users click on the URL, they are then directed to a compromised website that is hosted in Texas and was up at the time of the alert. The site contains no exploit code but has a Trojan Horse with the filename "SAMSUNG.EXE" with an MD5 of <892d9d19859a13cb3f453da446d1d538>.
Upon running the file it modifies several Windows components, including the hosts file, and opens Internet Explorer to both the real Samsung Mexico website and an adult entertainment website. Also, at the time of testing the file has *very* low detection rates from anti-virus signatures.