Diamonds are a Malware Spammers Best Friend...

Here's a post from one of my colleagues [Darren] who kindly wrote this posting for me when I was tied up trying to finish a very urgent report [many thanks for doing this for me Darren].

We have been made aware of a number of emails coming through from an online jewellery store notifying you that the credit card you used for your recent order has a few problems. You've got a bill for £500+ sat there along with a "form" attached that they're asking you to fill in to confirm the information.

The email looks like this:

Dear Customer,
This is an automatic message from JewelleryCatalogue.co.uk Secure Online Checkout directed to the e-mail address included in your billing
information. Please do not reply to this message!

Your credit card transaction is pending. The system reported the following error: (3100) Invalid CardIDName
Please verify the transaction details in the form attached and submit your credit card details again. Alternatively, you can go back to
the payment method selection page and pick an alternative mode of payment.

Items in cart:

3104B 9ct White Gold Diamond Necklace 1 215.58
6249E 9ct White Gold Diamond Onyx Cufflinks 1 338.67

Extra:

Free Platinum Gold Silver Cloth 1 0.00

Post:

Next Day Insured Signed for P&P 1 4.95
Total: 559.20

Tip: If you plan to be a frequent user of our Online Shop you may wish to store your name and address on your computer. These details are
securely passed through 128-bit SecureTrading system to us when you make a purchase.

Sincerely,

JewelleryCatalogue.co.uk

Fine Diamonds & Quality Jewellery.
We promise you the lowest prices in the UK.
GUARANTEED.

----Attachments----
Content-Disposition: attachment; filename="PF-3001-2420.exe"

Eeek! You're being charged for an order you haven't made, £338 for cufflinks too!!! Checking that your email address isn't Peter-Stringfellow@stringfellows.net you quickly load the attachment in order to sort this mess out - OOPS!

The attachment you've just loaded is infact malware that connects off to a website (which is down at time of writing) and downloads all sorts of nasty apps.. this is what the AV vendors have on it at the moment:

Scan report of: PF-3001-2420.exe.1

@Proventia-VPS -
AntiVir TR/Dldr.DElf.OR.20
Avast! -
AVG -
BitDefender DeepScan:Generic.Malware.dld!!.F2718523
ClamAV Trojan.Downloader-640
Command W32/Downloader.gen10
Dr Web -
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET Win32/SillyDl.CEK
eTrust-VET (BETA) Win32/SillyDl.CEK
Ewido -
F-Prot W32/Downloader.gen10
F-Secure Trojan-Downloader.Win32.Tiny.fo
F-Secure (BETA) Trojan-Downloader.Win32.Tiny.fo
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus Trojan-Downloader.Win32.Tiny.fo
Kaspersky Trojan-Downloader.Win32.Tiny.fo
McAfee -
McAfee (BETA) Generic Downloader.ab trojan
Microsoft -
Nod32 Win32/TrojanDownloader.Tiny.NCA trojan (variant)
Norman W32/Downloader (Sandbox)
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Rising -
Sophos Troj/DwnLdr-FYB
Symantec -
Symantec (BETA) Downloader
Trend Micro -
Trend Micro (BETA) TROJ_DLOADER.GPY
UNA -
VBA32 Win32.Trojan.Downloader (suspected)
VirusBuster -
WebWasher Trojan.Dldr.DElf.OR.20
YY_Spybot -

Allowing the file to run in a controlled environment shows us more information about what it does.

Sandbox report: 12:16:53

PF-3001-2420.exe.1 : W32/Downloader (Signature: W32/DLoader.BRTQ)

[ General information ]
* File length: 2614 bytes.
* MD5 hash: badaaae82fcf611b67b053960f2f4144.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\TEMP\suhoy361.exe.

[ Network services ]
* Downloads file from http://...com/downloads/suhoy361.exe as C:\WINDOWS\TEMP\suhoy361.exe.

[ Security issues ]
* Starting downloaded file - potential security problem.

[ Process/window information ]
* Attemps to open C:\WINDOWS\TEMP\suhoy361.exe .

[ Signature Scanning ]
* C:\WINDOWS\TEMP\suhoy361.exe (4096 bytes) : no signature detection. 12:16:54

The jeweller in question is the victim in all this, sending people viruses isn't usually good for business. As you've probably guessed the emails don't infact originate from them, here's what they have to say:



As usual be very sceptical of any emails you get out of the blue telling you that you've won something, your bank needs to confirm your details, your ebay account has been cancelled etc. especially ones that encourage you to run an attachment (remember Iloveyou?) NEVER run any attachments that look suspicious, where necessary check with the sender first - would you like to be responsible for a new virus outbreak?