Inoculation is effective against this threat.
There was a new spam run overnight; tempting unsuspecting users with a “photo”:
Inside the attached zip file lurks “IMG_03541_12_12_2014 jpeg .exe”, a malicious downloader trojan, but this is just one of different names. Also seen is the name Sales Receipt_Merchant Report_8740039111_pdf.exe.
When run the threat may crash in some environments, but in others it will install itself in the C:\ProgramData directory as ms???.exe where ? equals a random letter.
A registry run key is created to run the malware on reboot:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ########## = C:\PROGRA~2\ms???.exe
This process spawns msiexec.exe, which in turn uses Google’s DNS servers (18.104.22.168) to query and subsequently contact the following domains:
Various system policies are set to help conceal the malware:
Advanced “ShowSuperHidden” = 0
Explorer “HideSCAHealth” = 0
Explorer “TaskbarNoNotification” = 0
The following services are disabled:
The code contains the following hash, which you can Google to reveal its meaning:
About half of the major anti-virus vendors detect at this point (and growing):