Email with subject “Re: Job Interview” leads to site that hosts the Koobface trojan in resume.exe file

MX Lab started to intercept messages with the subject “Re: Job Interview” from various different spoofed email addresses.

The body of the email:

Dear Employee,

Could I get an update on your resume? Your cooperation will be appreciated in this matter.

The resume we have on file for you is

Best regards,

Cristian Anderson

The email does not have any attachment but only a visible link to the web site Career Builder where you can submit your resume: When using this link, you’ll get an 404 – Page not found error.

But the danger lies with the real link inside the HTML code – hxxp:// – that leads to a web site that hosts the malware.

The resume.exe file is 36 kB large and the trojan is known as Mal/Koobface-E (Sophos), VirTool:Win32/VBInject.gen!DG (Microsoft), Win32/Koobface.NX (E-Trust) or Trojan.Win32.VBKrypt (Ikarus).

At the time of writing, only 10 of the 40 AV engines at Virus Total did detect the threath. Virus Total permlink and MD5: 612fc8fc11fa90ef93ba3b681512a00f.