« Even Following Good Advice Can Fail You | Main | Phony "PayPal Premier Account" Phish »

May 26, 2007

I received a typical malware-laden email tonight that packed a double whammy. The attachment was a file named Document.zip. The Subject line was "Your help is necessary. If yo". The message body was the following:

Your help is necessary. If yuo will not help - I a corpse! Oepn a page tehre all it is written

That translates to the following English:

Your help is necessary. If you will not help - I am a corpse! Open a page there. Everything is written there.

I ran the attached file through VirusTotal, which passes the file's signature through about 30 different malware databases. Most of the major antivirus vendors identified the file as a Trojan loader, which installs itself as a rootkit—particularly difficult to remove.

At the bottom of the email message body was also a URL of a web site in Russia. The URL wasn't coded with anything to reveal my email address, so I retrieved the content of the page through a non-browser process (in the Mac OS X Terminal program). If I had visited the site with Windows Internet Explorer, I would have seen merely a "404" page, trying to make me think the actual page wasn't found. But, in truth, the page was found, presenting the bogus 404 message. Behind the scenes, JavaScript would be running to load spyware into the PC.

And so, yet another chapter (among thousands) in the story of malware propagators vs. computer users. The social engineering of this particular message is nasty (nastier still, if it had been written in better English). And, just in case you don't open the attachment, a URL can take you to a site ready to do a drive-by malware installation for you.