Email with subject “Re: Job Interview” leads to site that hosts the Koobface trojan in resume.exe file


MX Lab started to intercept messages with the subject “Re: Job Interview” from various different spoofed email addresses.

The body of the email:

Dear Employee,

Could I get an update on your resume? Your cooperation will be appreciated in this matter.

The resume we have on file for you is http://www.careerbuilder.com/ShareInfo/Resume.aspx?DID=J93JSN0382.

Best regards,

Cristian Anderson

The email does not have any attachment but only a visible link to the web site Career Builder where you can submit your resume: http://www.careerbuilder.com/ShareInfo/Resume.aspx?DID=J93JSN0382. When using this link, you’ll get an 404 – Page not found error.

But the danger lies with the real link inside the HTML code – hxxp://www.hotelvillaserena.it/resume.exe – that leads to a web site that hosts the malware.

The resume.exe file is 36 kB large and the trojan is known as Mal/Koobface-E (Sophos), VirTool:Win32/VBInject.gen!DG (Microsoft), Win32/Koobface.NX (E-Trust) or Trojan.Win32.VBKrypt (Ikarus).

At the time of writing, only 10 of the 40 AV engines at Virus Total did detect the threath. Virus Total permlink and MD5: 612fc8fc11fa90ef93ba3b681512a00f.