Sponsored by..

Thursday, 16 May 2013

"Invoice Copy" spam / invoice copy.zip

This fake invoice email contains a malicious attachment:

Date:      Thu, 16 May 2013 00:27:41 -0500 [01:27:41 EDT]
From:      Karen Parker [Kk.parker@tiffany.com]
Subject:      invoice copy

Kindly open to see export License and payment invoice attached,meanwhile we sent the balance payment yesterday.Please confirm if it has settled in your account or you can call ifthere is any problem.ThanksKaren parker
The attachment is invoice copy.zip which in turn contains an executable invoice copy.exe which has an icon to make it look like a spreadsheet. VirusTotal results are a pretty poor 7/45 and indicate that this is a Zbot variant.

The Comodo CAMAS report indicates that the malware seems to be rummaging though address books and gives the following characteristics:

Size331776
MD5ebdcd7b8468f28932f235dc7e0cd8bcd
SHA1a3d251b8f488ef1602e7016cb1f51ffe116d7917
SHA2564b15971cf928a42d44afdf87a517d229e4aabbb5967cb9230a19592d2b939fe6

The ThreatExpert report and Anubis report are pretty inconclusive. The ThreatTrack report is nicely detailed and gives some details about network connections which I haven't had a chance to analyse yet.

As ever, blocking EXE-in-ZIP files at the perimeter is the best way to guard against this type of threat.



1 comment:

James B said...

I accidently installed. how do i uninstall? please let meknow. thank you