New Email Exploit “Scan upon download” 03.08.10
The email reads:
We have prepared a contract and added the paragraphs that you wanted to see in it. Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment. We are enclosing the file with the prepared contract.
The email has the ZIP archive attached named Contract.zip, a 202 kB large file, and once extracted an executable file named Contract.exe appears.
After being clicked on and run, the following files are created:
A new process is created:
You’ve just been p0wned. Of course the hook here is the social bits. First off, the admonishment of the subject line:
“scan upon download”
Nice touch really.. As not many vendors can see this yet, I am sure this will work pretty well for the mass clickers out there.
My virus scanner said it was ok! CLICK CLICK CLICK!
Second, the whole contract angle. Now, if you are not a sir, and you know nothing of any contracts you might be recieving, why would you click on this? Mostly I think it is because people are generally curious and want to know things that they “shouldn’t” have access to. So they will click on the zip or the “contract” to get the dirt.
The trojan that has just been installed is named Suspicious:W32/Malware!Gemini by F-Secure or Mal/TibsPk-D by Sophos and is able to create malicious executable files on the infected system for you the end user to handily execute later on! YAY!
So far this was seen in the wild today at 1220 EST and only has been picked up by a scant few virus scanners. I expect there to be many more self p0wnings in the next few hours.
Here’s the hint people… If you don’t have business dealings with contracts DONT CLICK and for heavens sake DO NOT CLICK ON AN EXE!