New Word malware: Email from Transport for London


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Email from Transport for London”.

This email is send from the spoofed address “noresponse@cclondon.com” and has the following body:

Dear Customer,

Please open the attached file to view correspondence from Transport for
London.

If the attachment is in PDF format you may need Adobe Acrobat Reader to
read or download this attachment.

If you require Adobe Acrobat Reader this is available at no cost from
the Adobe Website http://www.adobe.com

Thank you for contacting Transport for London.

Business Operations
Customer Service Representative

In our mail client, the email wasn’t correctly parsed and the email coding was visible making the attached file less accessible. The attached is displayed as:

–=_5670F60323811420E10080000A82A3EC
Content-Disposition: attachment;
filename=”FR7000609906.DOC”
Content-Type: application/msword;
name=”FR7000609906.DOC”
Content-Transfer-Encoding: base64
Content-Description: FR7000609906.doc

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAIgAAAAAA
AAAAEAAAJAAAAAEAAAD+////AAAAACEAAAB+AAAA////////////////////////////////
////////////////////////////////////////////////////////////////////////

Again, this campaign is also a malware campaign and the Word file contains a macro so if your email reader allows you to click on the attached Word file, please do not and remove the email.