Thursday, 14 August 2008

Fake Contract Documents

Received the following email, which looks the same as a version received about a week ago:

Received: from [] ( []
by (8.13.1/8.13.1) with ESMTP id m7E5rk9W028214
; Thu, 14 Aug 2008 06:53:47 +0100

As you can see, it's got a zip attachment, which submitting to VirusTotal, gives us:

I'd already added a signature to catch the earlier version (11th August) and it also detected this latest version too: Email.Malware.Sanesecurity.08081101 (added 11th August 2008)

Submitting this to ThreatExpert, gives you this worrying result !

Ie: "
Installs a default debugger that is injected into the execution sequence of a target application. If a threat is installed as a default debugger, it will be run every time a target application is attempted to be launched - either to mimic it and hide its own presence (e.g. an open port or a running process), or simply to be activated as often as possible."

As you can see from the stats, it's still being spammed out:

None of this is a worry, to those admins who are blocking exe's inside zip files though :)

No comments: