MX Lab intercepted emails with the subject “Congratulation!!”. The message informs you that you have won an Apple MacBook Air and for more details you will need to open the attached file.

Congratulations!! You have won todays Macbook Air.
Please open attached file and see details.

Seems tempting but by doing so you will in fact unleash the trojan VirTool:Win32/Obfuscator.HG (Microsoft) or Suspicious:W32/Malware!Online (F-Secure) on your system.

The attached file is named winner.zip, 45 kB large, and contains the 52 kB large executable winner.exe.

The trojan will create the following files:

%UserProfile%\reader_s.exe
%System%\reader_s.exe

New processes ware created:

%System%\reader_s.exe
%UserProfile%\reader_s.exe

Windows registry modifications are done to make sure that the services run when the Windows boots:

# [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
* reader_s = “%System%\reader_s.exe”
# [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
* reader_s = “%UserProfile%\reader_s.exe”

At the time of writing this article, only 8 of the 40 AV engines picked up the trojan when submitted to Virus Total so be carefull when receiving it. Virus Total permlink and MD5: 4ea90acf8a6427060f1a6d003dd3598f.