Wednesday, December 31, 2008 1:13 PM
cmosby
A New spam circulating fake wire transfer statements – McAfee Avert Labs Blog
A New spam circulating fake wire transfer statements
Wednesday December 24, 2008 at 9:33 am CST
Posted by Shinsuke Honjo
Trackback
Today a new downloader trojan is being spammed widely. This spam message arrives as a reply to the victim’s query of asking for the wire transfer.
When users run the file “bank_statement.scr” in the attachment zip file, it downloads the BackDoor-DSG trojan, while in the background it downloads an innocent pdf document from a legit site and opens it for deception. The pdf document, however, is not relevant to the wire transfer.
We see that the trojan file is repacked for each message, thus none of them are identical. In addition to that, this time the malware authors are changing resource sections in those pe files such as Icons, and file properties.
For example, we observed following icons:
Other resources:
File Descrption:
- Auto-reader Module
- Reader_Module
- Adobe Reader HSMC
- Adodb_SSL_reader
Translation:
CompanyName:
These crafted resources, as well as the malicious code, are the result of server-side polymorphism to attempt to evade detections by Anti-Virus software. McAfee Avert Labs detects the current wave of the downloader as BackDoor-DSG.dldr trojan, and dropped files as BackDoor-DSG with DAT 5474 or later.
Filed under: Security and Anti-Virus, Spam\Phishing