I received an interesting piece of malevolent e.mail to-day.
It represents itself as coming from "Daily Top 10" <Aleksandra-namgof@asntechnologies.com>
which isn't very slick, but the subject is given as CNN.com Daily Top 10
, and the body looks very authentic: Some of the links were indeed to servers at cnn.com, but the video links were to http://97folders.org/news
— proceed there only at your own risk. When I looked at that site, it attempted to persuade Windows users to download and install a program named adobe_flash.exe
, which contains trojan malware which AVG identifies as I-Worm/Nuwar.V
.
(Now, someone might expect users to know, from the site-name of 97folders.org
, that this wasn't a legitimate CNN site, but the fact is that I've more than once been sent by a legitimate — if none-the-less goddamn'd stupid — organization to a site with an odd name. So I won't much blame anyone who trusts this site.)
When run on a Windows system, this malware adds
CbEvtSvc.exe
to the System folder (typically
\WINDOWS\system32\
). If you know a system on which this file has been installed,
delete it. A file of this name is
not part of an original installation, so if you find one then it is probably an artefact of an infection.
The trojan horse will also make a number of modifications to the WIndows registry. If you know how to edit the registy, then delete keys containing either the string CbEvtSvc
or LEGACY_CBEVTSVC
.
According to McAfee, if the code has been resident for about 30 minutes or more, then it will have attempted to download further malware.