Information about new trojan Trojan.Hoosmi is available. It opens Word document when executed, using current file name (maybe recent file opened to Word at time of infection).

Like Ginwui did, reportedly it hides all its files, registry keys etc. using rootkit technologies. It has keylogger features and it attempts to download a file from 3322.org site (SANS ISC summary here). This same domain was being used in Ginwui threat as well.
New service named “sdqgvqcm” generated is something totally new.
At time of writing there is no information is this malware exploiting undocumented MS Word vulnerabilities like this.
Information about ways of delivery will be upated to this writing too.

Direct link to Symantec’s write-up:
securityresponse.symantec.com/avcenter/venc/data/trojan.hoosmi.html


UPDATE: Files named sdqgvqcm (including saved keystrokes in .log file) in System folder are generated by this trojan.

# May 26th: New Trojan.Agentdoc.B uses site 3322.org too.

-

Scan your web site for vulnerabilities with a Vulnerability Scanner - Be Safe!