Emails with URL that contains /docdown/ will download malware


MX Lab, http://www.mxlab.eu, is intercepting emails with a potential dangerous URL embedded in the body of the email. The URL includes the part /docdown/ and will refer to an online ZIP file.

Subjects will vary, the email is send from different spoofed addresses and here we have some samples:

Goeie morgen,

Het antwoord op uw vraag over het profiel op de website van 30.11.2011
hxxp://www.quattro-stagioni.it/docdown/Factuur.zip?idinvoice=1615847338768Firma=ontario583@csk-rijssen.nl

We zijn blij om samen te werken in de toekomst.

Het antwoord op uw vraag over het profiel op de website van 30.11.2011
hxxp://www.sanseverocommunity.com/docdown/Factuur.zip?idinvoice=27043890762Firma=info@bloemex.nl

The trojan is known as Artemis!6287782884ED (McAfee), Downloader.Dromedan (Symantec), Trojan.Win32.Yakes (Ikarus), Trojan.Generic.7001815 (BitDefender).

At the time of writing, 37 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 6287782884edba7ca26df03942798739.

One thought on “Emails with URL that contains /docdown/ will download malware

Comments are closed.