Monday, November 26, 2007 2:45 PM
cmosby
My Egyptian Vacation - F-Secure Weblog : News from the Lab
My Egyptian Vacation
Posted by Mikko @ 11:32 GMT |
No, we haven't visited Egypt. But we're seeing a malware distribution run using a unique lure.
First, you get an e-mail like this from "Anita":
The ZIP contains these files:
How nice, Anita has even included an image viewer for us so we can take a look at her photos.
However, if you run viewer_img.exe, you'll get just an empty Paintbrush window:
Of course, this is just a bluff. In the background it's dropping and executing a variant of the LdPinch data-stealing trojan.
Let's see. It loads up a Russian version of pbrush.exe. The images are named "egipet.jpg" — Egipet is the Russian spelling of Egypt. And LdPinch is Russian malware. So this attack is probably (we're guessing) coming from … Denmark!
Source: My Egyptian Vacation - F-Secure Weblog : News from the Lab
Filed under: Security and Anti-Virus, Spam\Phishing