As of March, 2012, ESG there's been a multiple reports of an online scam that is attempting to attack computer systems by taking advantage of the constant presence of the nuclear tensions with Iran that have appeared in the current news cycle. ESG malware analysts believe that Gen:Variant.Graftor.15447
originates in China and, at least at some level, is attempting to target computer users belonging to the United States military or related institutions. The main exploit comes through a Microsoft Word document (with the DOC) extension which is sent out in malicious spam email. This document is title "Iran's Oil and Nuclear Situation.doc" and clearly attempts to pique curiosity in computer users interested in the current political tensions between Iran and the Western world.
An Overview of the Actual Gen:Variant.Graftor.15447 Attack
This document uses an exploit which attempts to load a video file in MP4 format from a malicious IP address. This MP4 file is not a real video file, using only the header in order to fool your computer system into believing that it is an MP4. In reality, when Adobe Flash attempts to run it, it triggers a known exploit in this application, known as the CVE-2012-0754 exploit, which allows Gen:Variant.Graftor.15447 to drop an executable file included within the original Microsoft Word document. The actual MP4 file manages to bypass anti-virus software because it streams from the web, which means that by the time an anti-virus program can scan it, it is too late. The executable file embedded in the DOC file is also very well hidden, obfuscated in various ways to prevent its detection. Gen:Variant.Graftor.15447 is the actual backdoor which is installed through a remote server in China. Once Gen:Variant.Graftor.15447 is installed, Gen:Variant.Graftor.15447 connects to its control server and waits for orders from the criminals behind Gen:Variant.Graftor.15447.
Gen:Variant.Graftor.15447 is Clearly a Targeted Attack
PC security analysts tend to create email accounts that are purposefully designed to attract spam. It seems that the Gen:Variant.Graftor.15447 attack has not targeted these kinds of accounts or the general public in particular. This malware threat has been found among emails coming from a massive phishing attack from an entity known as Operation Aurora, in China. These are targeted specifically against military officers in the United States and in Taiwan. The Gen:Variant.Graftor.15447 backdoor is quite persistent and extremely difficult to detect. It is essential to ensure that your security software, applications and operating system are fully updated in order to shut down all exploits and vulnerabilities that Gen:Variant.Graftor.15447 takes advantage of.
This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.