The malicious attachment is called internal_use_only.gadget<\/strong>; Gadget files are zip files so one can enumerate their content e.g. with 7Zip:<\/p>\n If dropped in a folder, we can see the icon of a Gadget<\/p>\n The content of the gadget.html<\/strong>:<\/p>\n Quick analysis confirmed it’s Upatre, a well-known Zeus downloader.<\/p>\n When main.exe<\/strong> is executed it drops its copy as %TEMP%\\ycare.exe<\/strong> and appends the original path to the main.exe<\/strong> so that ycare.exe<\/strong> can delete it once it’s executed. The executed ycare.exe attempts to connect to just* [ . ]com\/wp-content\/uploads\/2014\/02\/1605UKmw.enc or grab the very same file from dot*[ . ]com\/fonts\/1605UKmw.enc.<\/p>\n If the user is silly enough to open this gadget on the computer the warning popup will show up:<\/p>\n If the user is silly^2 enough, the ‘gadget’ will be ‘added’ to the Sidebar:<\/p>\n – and the malware thingie will run.<\/p>\n The Gadgets leave Gadgetish remnants on the system and they can be potentially used to determine the original attack vector:<\/p>\n and also<\/p>\n – the latter will contain the description of Gadget(s) added to the system<\/p>\n may contain references to Sidebar binaries and<\/p>\n may contain the entry starting Sidebar via<\/p>\n – it’s less reliable, because users may have other Gadgets installed and Sidebar installation is nothing unusual in their environment.<\/p>\n Nothing extraordinary – just yet another creative way to deliver the badness.<\/p>\n","protected":false},"excerpt":{"rendered":" During last week I have seen News reports talking about spam campaign delivering the malware that is using a .gadget file extension. Since one of my spambait accounts got it as well I decided to run a quick test and … Continue reading Path = internal_use_only.gadget\r\nType = zip\r\nPhysical Size = 6878\r\n\r\n\u00a0\u00a0 Date\u00a0\u00a0\u00a0\u00a0\u00a0 Time\u00a0\u00a0\u00a0 Attr\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Size\u00a0\u00a0 Compressed\u00a0 Name\r\n------------------- ----- ------------ ------------\u00a0 ------------------------\r\n2014-05-16 12:45:26 ....A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 335\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 220\u00a0 gadget.html\r\n2014-05-16 12:44:14 ....A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 10240\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 6151\u00a0 main.exe\r\n2014-05-15 22:08:40 ....A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 326\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 199\u00a0 gadget.xml\r\n------------------- ----- ------------ ------------\u00a0 ------------------------\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 10901\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 6570\u00a0 3 files, 0 folders<\/pre>\n
![\"gadget\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/05\/gadget.png\")
<\/a>The content of the gadget.xml<\/strong>:<\/p>\n![\"gadget_xml2\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/05\/gadget_xml2.png\")
<\/a><\/p>\n![\"gadget_html\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/05\/gadget_html.png\")
<\/a>and the third file is a small executable called main.exe<\/strong>.<\/p>\n![\"gadget2\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/05\/gadget2.png\")
<\/a><\/p>\n![\"gadget3\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/05\/gadget3.png\")
<\/a><\/p>\n\n
\ninternal_use_only.gadget\\gadget.html<\/li>\n
\ninternal_use_only.gadget\\gadget.xml<\/li>\n<\/ul>\n\n
![\"gadget_settings\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/05\/gadget_settings-1024x158.png\")
<\/a>
\nOther artifacts are less reliable e.g.:<\/p>\n\n
\n
\n