Email with subject “scan upon download” contains trojan

March 9, 2010 by mxlab Leave a Comment

MX Lab started to intercept a few emails with the subject “scan upon download” coming from randomly spoofed email addresses.

The trojan is named Suspicious:W32/Malware!Gemini (F-Secure) or Mal/TibsPk-D (Sophos) and is able to create malicious executable files on the infected system.

The body of the email:

Dear Sirs,
We have prepared a contract and added the paragraphs that you wanted to see in it. Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment. We are enclosing the file with the prepared contract.

The email has the ZIP archive attached named Contract.zip, a 202 kB large file, and once extracted an executable file named Contract.exe appears.

The following files are created:

%AppData%\av.exe
%AppData%\v7LsGuo3u6bku

A new process is created:

%AppData%\av.exe

Virus Total permlink and MD5: 99b165be9e35f83b811925ccbb9be36d.

Filed under Viruses Tagged with , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>