New Javascript malware: Internet Service Fee (87399ID)


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Internet Service Fee (87399ID)” – number will change with each email.

This email is send from the spoofed address “xxxxx ” and has the following body:

Our company has made requested local repairs on your street. You are obligated to pay a fee of $99.00.
More information in the document enclosed.

The attached file caution_*****.*****-DA578_87399.zip (combination with first part of the recipients email address and variable parts) contains the file show4436.js (filename will vary).

The malware is detected by 2/56 AV engines at Virus Total and is detected as Trojan.OddJSwitch/Heur!1.A4FB or Js.Trojan.Raas.Auto.

Note: no Malwr analysis is available because the service takes too long at this moment.