Windows users warned over spammed-out gadget malware attack

Graham Cluley

GadgetWindows users are at risk of having their computers infected, after a malware attack posing as an “important company update” was spammed out.

The emails, which use forged headers to pretend to come from the same domain as your email address (in other words, if you have an email of fred@example.com the email will purport to have been sent from Administrator@example.com) have one unusual trick up their sleeve.

Rather than the malicious file being a plain executable, or a boobytrapped Word or PDF document, the malware is attached as a .gadget file.

If you haven’t heard of gadgets before, they’re the mini-programs that can run in the Windows sidebar. Often they might provide you with a number of functions, such as a desktop clock, an RSS feed or the latest weather report.

Here is what a typical email sent in the malware campaign looks like:

Subject:

IMPORTANT – Internal Use only

Attached file:

internal_use_only.gadget

Message body:

Important Company Update
*********************************

Please read carefully the attached document

**********************************

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you.

Jonathan French, a researcher at AppRiver, said in a blog post that they had blocked over 70,000 messages infected with the malware.

French says that a main.exe file contained inside the .gadget archive is actually a downloader, which pulls down further malicious content from the net.

Most likely this means the gadget file is a downloader for some malware that is using encryption to try and bypass filters. One of the more popular pieces of malware that uses this is the GameOver Zeus malware.

Clearly that’s not something you want running on your computer.

From time to time people claim that the days of malware being spammed out en-masse are over, but clearly that’s not the case.

It may be that more and more attacks work hard to not draw attention to themselves, but there are still cybercriminals out there who are more than happy to blast out their malicious code in the hope that at least a small percentage of people will click on the attachment and infect their computers.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “Windows users warned over spammed-out gadget malware attack”

  1. You only need to look here: –
    http://support.microsoft.com/kb/2719662

    This fixit has been available for years.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES