Sponsored by..

Wednesday, 12 June 2013

"Scan from a Xerox WorkCentre" spam / Scan_06122013_29911.zip

This fake Xerox WorkCentre spam comes with a malicious attachment and appears to come from the victim's own domain:

Date:      Wed, 12 Jun 2013 10:36:16 -0500 [11:36:16 EDT]
From:      Xerox WorkCentre [Xerox.Device9@victimdomain.com]
Subject:      Scan from a Xerox WorkCentre

Please download the document.  It was scanned and sent to you using a Xerox multifunction device.

File Type: pdf
Download: Scanned from a Xerox multi~3.pdf

multifunction device Location: machine location not set
Device Name: Xerox2023

For more information on Xerox products and solutions, please visit http://www.xerox.com
Attached is a ZIP file, in this case called Scan_06122013_29911.zip which in turn contains an executable Scan_06122013_29911.exe. Note that the date is encoded into the filename so future versions will be different.

VirusTotal results are 23/47 which is typically patchy. Comodo CAMAS reports that the malware attempts to phone home to forum.xcpus.com on and has the following checksums:

ThreatExpert has some more information, but the ThreatTrack report [pdf] is more detailed and also identifies the following domains and IPs which are probably worth blocking or looking out for:

Update: I'd previously listed on the blocklist which is a register.it parking server in Italy. That was probably overkill, you might want to unblock it and block ftp.videotre.tv.it instead.

No comments: