Private Detective Scare is Storm Trojan

A malicious Trojan is being sent in email claiming the recipient is being spied on and that the password-protected .rar attachment to the message is proof of a previously recorded conversation. The .rar contains an executable file that masquerades as an MP3 music file. In reality, the file is a disguised variant of the Zhelatin family of malware (commonly referred to as the "Storm worm").

The email message body sent by this variant of Zhelatin appears as follows:

I am working in a private detective agency. I can't say my name. I'm warning you that i'm going to overhear your telephone line. Do you want to know who paid for shadowing you? Wait for my next message.

P.S. Of course, you don't believe me. But i think that the record of your yesterday's telephone conversation will change your point. The record is in archive. The password is 123qwe

According to PC Tools ThreatExpert, this latest variant creates a file named "kernelwind32.exe" in the Windows system folder (usually C:\Windows\System32). The registry is modified to load this copy when Windows starts, as follows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System = "<path to system folder>\kernelwind32.exe"

A file named "kernelw.sys" is also dropped to the Windows system folder. This file is a kernel mode rootkit that hides itself and other files and processes associated with the infection. The Trojan also modifies the registry to prevent access to the Windows Task Manager.

Rootkit enabled malware is extremely common these days. To bolster your virus protection, use one or more of these free rootkit detectors to scan your system.