New malspam regarding your Amazon order: Your order has been paid! Parcel NR:58588-691
May 17, 2010 2 Comments
MX Lab detected a new malware spam outbreak with the subject “Your order has been paid! Parcel NR:58588-691″regarding a payment towards Amazon. The malware is sent from a spoofed email address in the form of Amazon Manager Vaughn Montes <refrigeratorser22@rokulabs.com>.
The trojan is known as Trojan.Generic.Bredolab.3232 (ClamAV), W32/VBcrypt.E.gen!Eldorado (Eldorado), W32/VBcrypt.E.gen!Eldorado (F-Prot) or Heuristic.BehavesLike.Win32.Downloader.H (McAfee-GW-Edition).
The body of the email:
Dear Sirs,
Thank you for shopping at Amazon.com!
We have successfully received your payment.
Your order has been shipped to your billing address.
You have ordered ” Sony Bravia S1452 ”
You can find your tracking number in attached to the e-mail document.
Print the postal label to get your package.
We hope you enjoy your order!
Vaughn Montes, Amazon
The email has the ZIP archive Amazon_label_N-322-552.zip attached and contains the 36 kB large file Amazon_label_N-322-552.DOC.exe.
The following files are created:
C:\Documents and Settings\User\Local Settings\Temp\1.tmp
C:\WINDOWS\system32\thxr.wgo
An HTTP request will be done to:
hxxp://hulejsoops.ru/images/bb.php?v=200&id=636608811&b=build_9&tm=1
hxxp://hulejsoops.ru/images/bb.php?v=200&id=636608811&b=build_9&tm=2
hxxp://hulejsoops.ru/images/bb.php?v=200&id=636608811&b=build_9&tm=3
At the time of writing, only 5 of the 41 AV engines at Virus Total did detect the threat. Virus Total permlink and MD5: b31628758d2557315403f59cc65bc33d.
Just received this email on my inbox.
Thanks for the heads up guys
I got this exact email and luckily I found this advise before clicking the attachment. I placed an Amazon order today so it was very sneaky indeed!