MX Lab, http://www.mxlab.eu, intercepted a series of emails with malware attachments in the last few days with subjects like “FW:You HAVE to check this photo in attachment man”, Re:Why did you put this photo online?”.
The email is send from the spoofed addresses and has the following possible body:
Sorry to disturb you , – I have a question- have you seen this picture of yours in attachment?? Three facebook friends sent it to me today… why did you put it online? wouldn’t it harm your job? what if parents see it? you must be way cooler than I thought about you man
Hi there ,But I really need to ask you – is it you at this picture in attachment? I can’t tell you where I got this picture it doesn’t actually matter…The question is is it really you???.
Sorry to disturb you , – I got to show you this picture in attachment. I can’t tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who’s that dude??.
The attached ZIP file has the name IMG0962.zip and contains the 34 kB large file IMG0962.exe.
The trojan is known as Trojan.Generic.KDV.605053 (BitDefender), W32/Trojan3.DLK (F-Prot), W32/Dapato.AYIQ!tr (Fortinet), Downloader.Dromedan (Symantec), Win32/TrojanDownloader.Agent.RAG (NOD32).
Virus Total permalink and SHA256: b07be0011852021bd891088b1ec25b67ef795101932b2f0d99fc4787eb204cbd.