Sponsored by..

Thursday, 16 May 2013

"Invoice Copy" spam / invoice copy.zip

This fake invoice email contains a malicious attachment:

Date:      Thu, 16 May 2013 00:27:41 -0500 [01:27:41 EDT]
From:      Karen Parker [Kk.parker@tiffany.com]
Subject:      invoice copy

Kindly open to see export License and payment invoice attached,meanwhile we sent the balance payment yesterday.Please confirm if it has settled in your account or you can call ifthere is any problem.ThanksKaren parker
The attachment is invoice copy.zip which in turn contains an executable invoice copy.exe which has an icon to make it look like a spreadsheet. VirusTotal results are a pretty poor 7/45 and indicate that this is a Zbot variant.

The Comodo CAMAS report indicates that the malware seems to be rummaging though address books and gives the following characteristics:


The ThreatExpert report and Anubis report are pretty inconclusive. The ThreatTrack report is nicely detailed and gives some details about network connections which I haven't had a chance to analyse yet.

As ever, blocking EXE-in-ZIP files at the perimeter is the best way to guard against this type of threat.

1 comment:

James B said...

I accidently installed. how do i uninstall? please let meknow. thank you