WARNING NEW VIRUS VARIANT

A new virus variant is being distributed with the subject “Your internet access is going to get suspended” and contains the following message:

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.

We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from You can check the report of your activities in the past 6 month that we have attached.

We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely
ICS Monitoring Team

The message contains a zip file named user-EA49943X-activities.zip and after extracting the file is user-EA49943X-activities.exe. File names can be different with each email.

The malware registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe. The files cabpck.dll (known as theMal/TinyDL-T by Sophos), k86.bin and krnlcab.sys (known as the Backdoor:Win32/Haxdoor by Microsoft)) are created in the %System% folder.

A directory %Temp%\msi_setup will be created and a new connection with some host is made: http://****-****.biz/jerken/data.php?trac kid=706172616D3D6 or http://*****.net/22/data.php?trackid=7061 72616D3D636D64266C616E6

Only 8 of the 36 anti virus engines detect this one. F-Secure recognise it as Suspicious:W32/Malware!Gemini, TrendMicro as PAK_Generic.001, AVG as SHeur.CIKH.

Virus Total permalink and MD5: 6ba40e29db8fb6f9145fde7a45708875.