Fake Wire Transfer spam contain Malicious ZIP attachments
Posted
Wednesday, December 24, 2008 6:01 PM
by
hwaldron
AVERT is reporting widespread volume associated with fake "wire transfer" messages. As e-commerce messages might be expected during the holidays, these realistic appearing messages could trick users into opening them. ZIP files may not be as well blocked as other attachment types by email filtering. Finally, each message processed so far is unique as differing packing algorithms are used to evade AV detection.
Fake Wire Transfer spam contain Malicious ZIP attachments
http://www.avertlabs.com/research/blog/index.php/2008/12/24/a-new-spam-circulating-fake-wire-transfer-statements/
QUOTE: Today a new downloader trojan is being spammed widely. This spam message arrives as a reply to the victim’s query of asking for the wire transfer.
When users run the file “bank_statement.scr” in the attachment zip file, it downloads the BackDoor-DSG trojan, while in the background it downloads an innocent pdf document from a legit site and opens it for deception. The pdf document, however, is not relevant to the wire transfer.
We see that the trojan file is repacked for each message, thus none of them are identical. In addition to that, this time the malware authors are changing resource sections in those pe files such as Icons, and file properties