{"id":370,"date":"2008-08-07T23:06:09","date_gmt":"2008-08-08T07:06:09","guid":{"rendered":"http:\/\/www.oeconomist.com\/blogs\/daniel\/?p=370"},"modified":"2009-09-25T20:53:22","modified_gmt":"2009-09-26T04:53:22","slug":"cnn-trojan-attack","status":"publish","type":"post","link":"https:\/\/www.oeconomist.com\/blogs\/daniel\/?p=370","title":{"rendered":"CNN Trojan Horse Attack"},"content":{"rendered":"<p>I received an interesting piece of malevolent e.mail to-day.<\/p> <p>It represents itself as coming from <q>\"Daily Top 10\" &lt;Aleksandra-namgof@asntechnologies.com&gt;<\/q> which isn't very slick, but the subject is given as <q>CNN.com Daily Top 10<\/q>, and the body looks <em>very<\/em> authentic: <a href=\"wp-content\/uploads\/2008\/08\/cnnspoof.gif\"><img loading=\"lazy\" decoding=\"async\" src=\"wp-content\/uploads\/2008\/08\/cnnspoof_sm.gif\" width=\"450\" height=\"395\" style=\"display: block ; margin-left: auto ; margin-right: auto ; margin-top: 1em ; margin-bottom: 1em ;\" alt=\"[capture of CNN spoof e.mail]\" \/><\/a> Some of the links were indeed to servers at cnn.com, but the video links were to <code>&#104;ttp:\/\/97folders.org\/news<\/code> &mdash; <em>proceed there only at your own risk<\/em>.  When I looked at that site, it attempted to persuade Windows users to download and install a program named <q><code>adobe_flash.exe<\/code><\/q>, which contains trojan malware which <a href=\"http:\/\/www.grisoft.com\/\">AVG<\/a> identifies as <q>I-Worm\/Nuwar.V<\/q>.<\/p> <p>(Now, someone might expect users to <em>know<\/em>, from the site-name of <q>97folders.org<\/q>, that this wasn't a legitimate <abbr title=\"Cable News Network\">CNN<\/abbr> site, but the fact is that I've more than once been sent by a legitimate &mdash; if none-the-less <em>goddamn'd stupid<\/em> &mdash; organization to a site with an odd name.  So I won't <em>much<\/em> blame anyone who trusts <em>this<\/em> site.)<\/p> <p>When run on a Windows system, this malware adds <div style=\"padding: 1em ;\"><code>CbEvtSvc.exe<\/code><\/div> to the System folder (typically <code>\\WINDOWS\\system32\\<\/code>). If you know a system on which this file has been installed, <em>delete it<\/em>.  A file of this name is <em>not<\/em> part of an original installation, so if you find one then it is probably an artefact of an infection.<\/p> <p>The trojan horse will also make a number of modifications to the WIndows registry.  If you know how to edit the registy, then delete keys containing either the string <q><code>CbEvtSvc<\/code><\/q> or <q><code>LEGACY_CBEVTSVC<\/code><\/q>.<\/p> <p><a href=\"http:\/\/uk.mcafee.com\/virusInfo\/default.asp?id=description&virus_k=144165\">According to McAfee, if the code has been resident for about 30 minutes or more, then it will have attempted to download further malware.<\/a><\/p>","protected":false},"excerpt":{"rendered":"I received an interesting piece of malevolent e.mail to-day. It represents itself as coming from \"Daily Top 10\" &lt;Aleksandra-namgof@asntechnologies.com&gt; which isn't very slick, but the subject is given as CNN.com Daily Top 10, and the body looks very authentic: Some of the links were indeed to servers at cnn.com, but the video links were to [&hellip;]","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"footnotes":""},"categories":[69,4],"tags":[362,359,361,360],"class_list":["post-370","post","type-post","status-publish","format-standard","hentry","category-information-technology","category-public","tag-exploits","tag-malware","tag-spoofs","tag-trojans"],"_links":{"self":[{"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=\/wp\/v2\/posts\/370","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=370"}],"version-history":[{"count":0,"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=\/wp\/v2\/posts\/370\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=370"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=370"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=370"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}