Portuguese Spam Exploits the Name of Symantec
A Portuguese spam message has been found tricking the PC users by making them to download and install a fraudulent Symantec product, reported SecurityPark on November 13, 2008. These spoof messages are exploiting two images on the famous website "imageshack.us".
As usual, regardless of the text displayed in the e-mail, spammed link in the Portuguese spam messages directs the users to a bogus URL instead of a Symantec website. To be specific, this link forwards the users to a hacked Czech website containing a malware with domain name www.[legit-domain].cz/[www.symantec.com.br]vacina.exe.
According to researchers, the concerned file is actually a Trojan horse written in Delphi (software development environment for Microsoft Windows applications). This file, anticipatorily identified as Mal/DelpDldr-C, facilitates the downloading of two more Trojan horses from the same Czech site and displays a bogus error message upon execution.
Security firm Sophos verified the proactive detection of the first downloaded executable as Mal/Behav-103. The other file - "ashsert.exe" - is an installer that downloads a banking Trojan, identified as Mal/DelpBanc-A.
Security experts reported that this is yet another illustration that highlights the significance of effectual anticipatory detection. Incidentally, if the user falls into the trap of social engineering and clicks the bogus link, the proactive detection of the trojans and downloader utilized in attack significantly cut down the probable effect of the strike on the victims, particularly, in this incident, to zilch.
The experts also advised the users to be vigilant so as not to fall to such tricks. Users must examine the headers in order to confirm that they are similar to the company which is purportedly sending the message.
It is noteworthy that another Portuguese spam e-mail emerged in October 2008. It stated that the user's PC was examined by the Symantec Security Check System and several harmful flaws have been discovered in it. It further added that the PC has been attacked by the virus "Worm@bda.267". Then the users are prompted to click and open the given link so as to download the updates to ensure the protection of their systems from this virus. However, in actual practice, virus Worm@bda.267 does not exist.
» SPAMfighter News - 28-11-2008