Sponsored by..

Thursday, 23 October 2008

"WorldPay CARD transaction Confirmation" / "Academic Resources Center Inc." trojan

This is a fake email message pretending to be from WorldPay relating to a payment to "Academic Resources Center Inc".

There's an attached ZIP file, The ZIP contains an EXE designed to look like a DOC.. but oddly with an icon that looks like Excel. Of course, this is actually a nasty trojan rather than a real document.

This is one good reason why you should not hide extensions for known file types on your PC - the icon on the left looks like it has the DOC extension, but only because the real EXE extension can been hidden and is revealed on the right.

VirusTotal indicates patchy detection rates including TrojanSpy:Win32/Zbot.gen!C, Trojan.Win32.FraudPack.gle, Trojan-Spy:W32/Zbot.VM, W32/Trojan3.DU, TROJ_FAKEALE.AI plus some generic heuristic detecions.

In this case, the ZIP is called WorldPay_CARD_Transaction_Confirmation_OrderNo76644.doc.zip and the EXE is WorldPay_CARD_Transaction_Confirmation_OrderNo76644.doc.exe but this may be randomly generated.

Subject: WorldPay CARD transaction Confirmation
From: "Jana Rivera"

Thank you!Your transaction has been processed by WorldPay, on behalf ofAcademic
Resources Center Inc.
The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Academic Resources Center Inc has received your order,
and will inform you about delivery.
The AcaDemon TeamEnquiries This confirmation only indicates that your transaction
has been processed successfully. It does not indicate that your order has been
accepted. It is the responsibility of Academic Resources Center Inc to confirm that
your order has been accepted, and to deliver any goods or services you have ordered.

If you have any questions about your order, please email Academic Resources Center
Inc at:followup@acade66Smicresourcescenter.com, with the transaction details listed
above.Thank you for shopping with Academic Resources Center Inc.

UPDATE 24/4/09: There's a similar spam run happening again, details are here.


Mike said...

Yeh I recieved this email today. I new I hadnt made any transaction via Worldpay so I thought it must be a fake. Glad I read your comments

Ed said...

Just received a similar email from WorldPay Card ...but this time from "Amazon" vs. Academic Resources Center" ...same context; zip file labeled: WorldPay TRANS 8651.zip

Dale said...

I am receiving this bogus Amazon purchase confirmation frequently. Since I did not order anything, I did not open it. Thanks for the confirmation that it is a virus looking for a sucker.

Dale said...

I have received several emails confirming my worldpay purchase from Amazon. Since I had not purchased anything, I was suspicious. Thanks for your confirmation that it is a virus looking for a fool.

Steve said...

I also received this e-mail today with thanks for my transaction with Amazon (which is apparently fake).
I almost opened it but on halfway I changed my mind...Glad I read this page and comments.

WooSnapper! said...

I received the "Amazon" version today at work. Much like others I hadn't ordered anything from Amazon and had never heard of Worldpay so I didn't clink on the included link but rather hit the internet to research it. Glad to find it is a virus and I'll be deleting the email.

Mark said...

Got one of these today - I think it's updated, they referenced Amazon in the message as other comments suggest, but the attachment is just an HTML whose only code is a meta refresh to download the .exe.