Tech

Beware of Microsoft help files, they can hide dangerous Windows malware

Deepak GuptaMarch 25, 2022
0

Beware of this new Vidar malware distribution campaign. The malware now hides in files with the extension .CHM. These are Microsoft Help files found in most Windows applications and services.

Windows Malware
Photo credit: Pexels

Trustwave security experts sound the alarm: a new wave of Vidar, a well-known and particularly pernicious piece of malware, is on the way. But rather than hiding in an executable, the malware hides this time in a Microsoft help file.

The malware spreads via classic spam that you receive in your mailbox. The message contains an attachment, which the sender encourages you to open with these words: “This important information is for you. Please see the attachment to this email”. And that’s where the malware comes into play.

Also read: Windows 10 – beware, this major flaw in Microsoft Defender allows you to install malware incognito

How a simple CHM file hides one of today’s worst malware

To hide even better from the eyes of its victims, the malware hides in a .DOC file named “REQUEST.DOC”. But don’t be fooled by its extension, it’s actually an .ISO file. Inside, there is an HTML file compiled in CHM format, generally called “PSS10R.CHM”. And still within the ISO is an executable named “APP.EXE”.

Once the CHM file or executable is open, a small JavaScript code is launched. The Vidar malware can then commit its misdeeds. It creates its own folder in C:\ProgramData and sends the collected data to a server. If necessary, it is also able to download another executable, also a malware. Once committed, the malware erases its own traces in the ProgramData folder and deletes the DLLs created for the occasion.

Malware Vidar hides CHM file
An attachment in .DOC format (actually .ISO) hides the Vidar malware. Screenshot credit: Trustwave.

What are the risks of Vidar malware?

Vidar is able to retrieve data of the operating system, but also and above all those of the user. He can also Steal all payment data (credit card, online payment service, etc.). And to close it all, it is even possible for him to flyprovide information enabling identification of a cryptocurrency service.

The first appearance of the Vidar malware dates back to 2018. The software is believed to be of Russian origin. Why such an assumption from the security experts who discovered Vidar? The malware immediately stops its abuses when it is installed on a machine located in Russia, or the keyboard of the infected PC has a Russian keyboard.

As usual, we advise you never to open an attachment from an unknown sender. Secondly, scan this attachment using an antivirus, such as BitDefender, Norton Security, Avast or Microsoft Defender.

Read also: this malware hidden in pirated software is undetectable by Windows Defender

Source: Truswave

We have other articles that may interest you:
  1. The return of the Witcher to Netflix already has a date on the calendar
  2. 5 watches to give away that still arrive before Christmas
  3. What is a magnet link and how is it used in BitTorrent?
  4. Bouygues Telecom integrates Wi-Fi 6E on its most expensive Bboxes
  5. Can I upgrade from PlayStation Plus Essential to PlayStation Plus Extra?
  6. Huawei AppGallery: a flaw allows paid apps to be installed for free!
Deepak GuptaMarch 25, 2022
0

Related Articles

Blocking of porn sites: Internet users will be redirected to the CSA site

October 8, 2021

Free VPN: 6 solutions for browsing securely

January 27, 2022

Meta: you don’t know what happens to your personal data? Neither does Facebook.

April 27, 2022

5 series and movies in which to see Pedro Pascal beyond The Last of Us and The Mandalorian

May 10, 2023

Leave a Reply

Your email address will not be published. Required fields are marked *