A new variant of Download.ject is in the wild, using instant messaging to spread. Like the first strain, this Trojan horse is designed to open backdoors and steal financial data, according to PivX Solutions. The Newport Beach, Calif.-based security firm was still analyzing the scope of the threat Thursday afternoon.
"This one has most of the characteristics of the first Dowload.ject," said Thor Larholm, senior security researcher with PivX. "The difference is that this one uses instant messaging to spread. If you receive the message and click the link, you're infected. Like the first attack, this one also appears to be financially motivated."
Larholm said it arrives as a harmless-looking instant message on AIM or ICQ that reads, "My personal home page http://XXXXXXX.X-XXXXXX.XXX/." Once the user clicks on this link Internet Explorer opens a malicious Web site that infects the user through several Internet Explorer vulnerabilities. The first thing users with infected machines will notice is a modified home page and search pane in the browser. In place of the user's preferred home page is a site called TargetSearch and several browser windows displaying adult advertisements and referral links. PivX has notified antivirus vendors so they can create signatures for the threat, Larholm said.
The HangUP Team, a for-profit malicious code group from Russia, is believed responsible for the first Download.ject and for the recent rash of Korgo worms that attacked the LSASS vulnerability Microsoft outlined in Security Bulletin MS04-011. Experts believe the goal of the attack was to deliver malicious code to visitors of an affected Web site that could be used to steal credit card and other information that would then be sold to organized identity theft groups.
It's unclear if the HangUP Team is behind the latest variant.