MX Lab Finds Bogus E-Gift Spam Mails

According to MX Lab the security company, a fresh e-mail scam is doing the rounds as it unleashes spam mails that pretend to offer gifts the e-mail recipients' friends supposedly sent.

Reportedly, the electronic mails are spoofed to seem like coming from freeze.com, an Internet site providing downloads of desktop oriented things like wallpapers, screensavers, icons, and so on.

The messages, greeting the recipient as a friend, tell him that someone has just sent a screensaver for him because that person truly cares for him.

Specifically, the text states that the sender hasn't got any news from the recipient since long so he's sending him a gift that hopefully he'll enjoy. It then continues that the sender has just known of the freeze.com site which his friend Sharon forwarded so if he (the recipient) wants to get or view the three-dimensional live Dolphins, he must click on a given web-link.

But the web-link takes onto a file named gift.pif that possibly a hijacked Internet site hosts.

Moreover, the file installs Backdoor.IRCBot that together with Trojan.RunKeys facilitates the triggering of trojans on the contaminated PC as it boots up.

Worryingly, alongside the above malicious e-mail campaign, cyber-criminals are also running another one, which seemingly is slightly different, security researchers remark.

Meanwhile, MX Lab issued a report that makes the aforementioned observation more convincing. According to that, the company had begun tapping a fresh e-mail campaign distributing Trojan and having "United Parcel Service Notification" as its caption while being dispatched from "United Parcel Service support2pyq@ups.com," a spoofed id.

Moreover, a picture used to make the e-mail's mail part looks broken when the recipient views it on his PC. Additionally, the picture connects with jpg; however, this server holds no file whatsoever. And the attached condensed archive is named document.zip that carries a huge .exe file.

Notably, different security companies have named the Trojan differently like Trend Micro calls it TROJ_SPYEYE.SMEP, SuperAntiSpywware -Trojan.Agent/Gen-FakeAlert[RnGlobal] and Fortinet -W32/Bamital.FA!tr.

Unfortunately, the Trojan is detectable on just five of VirusTotal's total 43 AV engines.

Eventually, to remain safe from these assaults, anti-virus software should be installed that's maintained up-to-date.

Related article: Mac OS X Devoid of Malware, Vexing Experts

» SPAMfighter News - 3/17/2011