TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
TROJ_ARTIEF.B
Overview
Solution

Malware type: Trojan

Aliases: Backdoor.Trojan (Symantec), BD/Agent.EU (Avira),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 Medium

Distribution potential:

 Low

Infection Channel 1 : Spammed via email

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

TROJ_ARTIEF.B Behavior Diagram

Malware Overview

This Trojan arrives as an email message spammed by another malware or a malicious user. The said email message contains a link to an RTF document containing an embedded EXE file. Trend Micro detects the said EXE file as TROJ_ARTIEF.B.

The said email message contains the following details:

Dear XXXXX,
We regret to inform you that your company is currently being investigated by our CI department for criminal tax fraud due to a complaint that was filled by a {supposed complainant} on 02/05/2007

Complaint Case Number: MT529057251
Complaint made by: {supposed complainant}
Complaint registered against :{company}
Date: 02/05/2007

You are being investigated for submiting false income tax returns with the California Franchise Tax Board. Instructions on how to resolve this issue aswell as a copy of the original complaint can be found on the link bellow.

{link here}
Complaint Documents

Criminal Investigation (CI) serves the American public by investigating potential criminal violations of the Internal Revenue Code and related financial crimes in a manner that fosters confidence in the tax system and compliance with the law. Criminal Investigation department resides at:

{CI office address}

Please note that you are required to review the complaint and fill out the document from the above link and mail it to the CI address.

A sample of the linked document is found below:

{Attached RTF}

Upon execution, this Trojan drops a copy of itelf as COMPLAINT_7251.EXE in the Windows system folder.

The dropped copy is injected into the legitimate IEXPLORE.EXE process, which allows it to open a hidden Internet Explorer window. It then accesses a URL to download a malicious file detected by Trend Micro as TROJ_AGENT.SXR. As a result, the routines of the downloaded file can be observed on the affected system.

Note that it uses the Adobe PDF icon in order to trick users into thinking that it is a legitimate file.

For additional information about this threat, see:
Solution
Technical Details

Description created: May. 30, 2007 7:28:41 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.