Corporate mail spam drops Haxdoor

Posted by   Virus Bulletin on   Aug 31, 2006

Business-related message carries trojan.

A vaguely official-sounding email is being widely spammed, claiming to relate to some nebulous business activity between the sender and recipient, but actually forming another vector for spreading malware. The text reads like a variant of the classic 419 scam, but veers off into a lure to open the infected attachment.

The body of the email reads as follows:

    Hello! Maybe you can explain me what's going on? My name is [sender], since recent times I've been working online for a company, which has a site www.[suspect website].biz. I performed financial transactions consisted in receiving and transferring money into different payment systems. When I read notifications from company about new tasks, in the letter's recipients list were more than one e-mail, including yours: [recipient's address]

    Maybe you are also member of the company? The last received order was to receive large amount of money (40000 USD) transferred on my Bank of America account. However, the task wasn't completely fulfilled. Those properties given by the company, turned out to be closed for some reason. I wanted to write in Support service, but to my great surprise, the site of this organization is not available now, and e-mail sends back letters.

    I think you are somehow related to the company and will be able to help me. I responsibly performed my duties and am willing to work again. In the attachment I wrote the details of received payment, fed ware, and properties, given for sending. I'm looking forward to hearing from you soon.

Attached to the mail, generally in a file called 'au.exe', is a variant of the 'Haxdoor' backdoor trojan, already detected either explicitly or generically by most AV products.

Posted on 31 August 2006 by Virus Bulletin

 Tags

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.