A number of users are being duped into downloading and running a file currently given names similar to foto049.com, which is being served off of a system hosted in Moscow:
vfoto.fromru.su /foto049. com
The link appears to be spread over email in messages claiming to link to photos and videos.
The file is a downloader that pulls down multiple encypted executable files from systems in Brazil that also are known to serve up Zbot banking password stealers. These encypted files are downloaded and copied with “.html” and “.txt” extensions into a “winnt_” directory that the downloader creates off of the system’s root drive. The seven files are decrypted, renamed, added to autorun locations in the registry and run. As you can see in the ThreatExpert report, the files are consistently given names looking similar to system filenames:
One component harvests email addresses from Orkut and other accounts, and others appear to be mainly interested in stealing information provided to Brazilian banks like Itau, Bradesco, BancoBrasil, etc. Our ThreatFire community in Brazil and other parts of the world has been protected from the threat since this variant first appeared on Friday, and users must be wary of running unsigned (or any) executables from links that are spread over email, even from friends.