Fake email “COPIE FACTURE SOCIETE LWS FC” contains malicvious VBS script


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “[COPIE FACTURE SOCIETE LWS FC-408185] – [LWS INVOICE] 10/09/2014”.

This email is send from the spoofed address “Service clients LWS <noreply@lws.com>” and has the following body:

S.A.R.L LWS
4, rue galvani
75838 PARIS Cedex 17

Paris le, 10/09/2014

Veuillez trouver en pièce jointe votre facture de référence: facture FC-408185 (Fichier: facture-408185) au format ZIP.

Si vous n’avez pas WinRar (Logiciel permettant de lire les fichiers ZIP) vous pouvez le télécharger ici:
http://www.rarlab.com/download.htm

Merci pour la confiance que vous nous accordez,

Le service comptabilité LWS

REMARQUE: MERCI DE NE PAS REPONDRE A CE MAIL, AUCUNE REPONSE NE VOUS SERA DONNEE

The attached ZIP file has the name FACTURE_45871147.zip and contains the 4 kB large file FACTURE_45871147.vbs. the VBS script in fact is encoded to hide the real purpose but it seems that this script will download other malicious files and will install them on a system in order to infect the computer.

The trojan is known as Trojan.Script.Crypt.deehcf or VBS/Dloadr-DVY.

At the time of writing, 2 of the 53 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: adf506eebd74dbdd2e23ab2a0918912a95105745226302cca32c760c34d196a5

One thought on “Fake email “COPIE FACTURE SOCIETE LWS FC” contains malicvious VBS script

Comments are closed.