The Grum Trojan

If you get an email trying to get you to download MSFT IE7.0 Beta 2, don’t. It is a spam email trying to get you to download a Trojan called Grum, and besides, if you have been paying attention, you’ll know that IE7 is already out and no longer even in beta. They even come with this nice, pretty graphic.

Grum Trojan

This thing was a bear to reverse, by the way. It performs a lot of remote thread injection and defense itself nicely. It blocks IDA Pro, it kills OllyDbg, it blinds a bunch of processes, and the main process (%User%\Local Setting\Temp\winlogon.exe) sleeps quietly if it?s being traced too much. This kept hosing up my XP analysis box. A pretty good sandbox analysis is on the Anubis project website. So far Anubis is the only sandbox that did anything useful with it. Here?s a list of domains we?ve seen used so far for this one (with many more missing from this list):

abnoba.net
66.98.149.237
cincinnatifeet.com
cyberbutt.com
gc-music.com
arrestingphotography.com
kcmancandy.com
manualshop.com.ar
monella.net
tvz-archive.com
nottyweb.com Source: Today?s Other Malware Threat: IE7.0.exe

Always beware of emails trying to get you to visit a website or download something, I know there are lots of newsletters that link to websites, but usually you subscribe to those, so you should know those are okay. Just pay attention, don’t run as administrator and keep anti virus and a spyware removal program handy.