Email with subject “scan upon download” contains trojan
March 9, 2010 1 Comment
MX Lab started to intercept a few emails with the subject “scan upon download” coming from randomly spoofed email addresses.
The trojan is named Suspicious:W32/Malware!Gemini (F-Secure) or Mal/TibsPk-D (Sophos) and is able to create malicious executable files on the infected system.
The body of the email:
Dear Sirs,
We have prepared a contract and added the paragraphs that you wanted to see in it. Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment. We are enclosing the file with the prepared contract.
The email has the ZIP archive attached named Contract.zip, a 202 kB large file, and once extracted an executable file named Contract.exe appears.
The following files are created:
%AppData%\av.exe
%AppData%\v7LsGuo3u6bku
A new process is created:
%AppData%\av.exe
Virus Total permlink and MD5: 99b165be9e35f83b811925ccbb9be36d.
Yes they are the worst scammer I have ever encountered. They won’t stop even I sent several replies on stop emailing me still they are so aggressive and I am also receiving it in my mail! here is the latest email I received from them aside from I got from the mail.
Dear Sir/Madam,
I am writing on behalf of the Credit Department of EU Business Services Ltd.
I have to remind you the due date for the invoice no. 73824, issued by EU Business Services Ltd for your first year of insertion of Events & Exhibition LLC into Europe Business Guide Ms Jennifer McCrory has ordered was the 01/03/2011.
We are in the possession of a 3-year valid order placed on behalf of your company.
Your debt to our company has reached EUR 1424,-, as late payment, administration and legal fees have been added to the initial amount of the invoice.
A second legal letter will be sent towards your company next Monday, the 18th of April, increasing your debt to EUR 1924,-.
Provided the payment will be made by the 15th of April, 2011 we accept the amount of EUR 1124, – in order to settle your account this year.
If no payment is made available by the 15th of April, 2011 a payment less than this amount will not solve the issue we obviously have with your company in your honoring your financial obligations towards us.
Thank you for your time and cooperation.
IBAN: SK36 7500 0000 0040 1273 2549
SWIFT CODE: CEKOSKBX
A/c#: 4012732549
Best regards,
Ms Andreea
Credit Department
EU Business Services Ltd.
P.O. Box 2021, 3500 GA Utrecht, The Netherlands
Fax: 0031 205 248 107