This morning I ran across an interesting piece of malware. It was a Trojan downloader packaged as a .gadget file. Gadgets are the little things used in the Windows sidebar, like a clock, rss feeds, cpu info, etc. A gadget file is essentially a zip with some special features that allow you to install other gadgets effortlessly. By changing the file extension you can actually extract the actual files being used. In total there were 3 files; main.exe, gadget.html, and gadget.xml. The main.exe is the actual downloader with the others that help run the malicious gadget install. After opening the gadget file and installing it, the malware immediately reaches out to the internet and downloads a file with the .enc extension.

 

encdownload resized 600

 

Most likely this means the gadget file is a downloader for some malware that is using encryption to try and bypass filters. One of the more popular pieces of malware that uses this is the GameOver Zeus malware. There was another exe file it reached out for but the request was returned as Forbidden by the remote server.

actualemail resized 600

 

gadget icon

 

At the time of scanning it on Virus Total, only MalwareBytes was classifying it as malware (out of 52 AV companies). So far this morning we have blocked around 70,000 messages with this malware attached.

Comments

Subscribe Here!