Troj/Redir-P is one of the many variants of malicious scripts designed to force victims to visit a hacked Russian website which attacks the victim’s computer using the BlackHole Exploit Kit. Since May of 2012, these have become a common component of a wave of spam email messages that has affected computers all over the world. Because of the prevalence of this kind of threats, ESG malware analysts recommend avoiding opening or viewing any unsolicited email attachments, even it looks like it came from a trusted source (email addresses can be spoofed quite easily)! You should also keep your anti-spam filter and anti-malware software fully updated so that it will be able to search and prevent the kinds of redirects that Troj/Redir-P and other similar Trojans cause on infected computers.
Although only a few years ago the use of the BlackHole Exploit Kit required advanced computer knowledge and very deep pockets (hackers would pay thousands of dollars for access to this hacking tool,) the 2011 public release of this dangerous exploit kit resulted in a dramatic increase of attack websites using this tool to attack computers. In addition to the Troj/Redir-P Trojan, ESG security researchers have also observed other Trojans, such as Troj/Redir-O and Troj/PDFEx-GD associated with these attack websites. Troj/Redir-P in particular uses an email message written in German which claims to contain important photographs in an attached file. However, the attachment is actually Troj/Redir-P itself.
How Criminals Infect Your Computer with the Troj/Redir-P Trojan
Email messages associated with Troj/Redir-P are sent to email addresses with the ‘.de’ suffix, which corresponds to German servers. Like a French scam detected in early July of 2012, Troj/Redir-P’s malicious email will claim that its email attachment contains important photos. Curious computer users, wanting to get more information, may open the attached file, resulting in a redirect to a hacked Russian website that uses a BlackHole Exploit Kit attack to infect the victim’s computer with malware. ESG malware analysts have observed that the email messages containing Troj/Redir-P use fake sender email addresses in order to dupe PC users into thinking that they are legitimate. Samples detected in the wild had email addresses corresponding to LinkedIn or Habbo Hotel. The attached file is named DCIM.htm. This malicious email message encourages victims to open this file using the Internet Explorer since this web browser is the most susceptible to BlackHole Exploit Kit attacks.
How Can You Detect Troj/Redir-P?
Troj/Redir-P Technical Report
As new Troj/Redir-P details are reported by our customers and findings from our Threat Research Center, we will update this section.
Fake message for Troj/Redir-P:
The following fake error message(s) appears for Troj/Redir-P:
deine Fotos findest du im Anhang (Internet Explorer format)
Troj/Redir-P Removal Details
Troj/Redir-P creates the following files in the system: