Sponsored by..

Wednesday 12 June 2013

"Scan from a Xerox WorkCentre" spam / Scan_06122013_29911.zip

This fake Xerox WorkCentre spam comes with a malicious attachment and appears to come from the victim's own domain:

Date:      Wed, 12 Jun 2013 10:36:16 -0500 [11:36:16 EDT]
From:      Xerox WorkCentre [Xerox.Device9@victimdomain.com]
Subject:      Scan from a Xerox WorkCentre

Please download the document.  It was scanned and sent to you using a Xerox multifunction device.

File Type: pdf
Download: Scanned from a Xerox multi~3.pdf

multifunction device Location: machine location not set
Device Name: Xerox2023


For more information on Xerox products and solutions, please visit http://www.xerox.com
Attached is a ZIP file, in this case called Scan_06122013_29911.zip which in turn contains an executable Scan_06122013_29911.exe. Note that the date is encoded into the filename so future versions will be different.

VirusTotal results are 23/47 which is typically patchy. Comodo CAMAS reports that the malware attempts to phone home to forum.xcpus.com on 71.19.227.135 and has the following checksums:
MD58fcba93b00dba3d182b1228b529d3c9e
SHA154f02f3f1d6954f98e14a9cee62787387e5b072c
SHA256544c08f288b1102d6304e9bf3fb352a8fdfb59df93dc4ecc0f753dd30e39da0c

ThreatExpert has some more information, but the ThreatTrack report [pdf] is more detailed and also identifies the following domains and IPs which are probably worth blocking or looking out for:
71.19.227.135
205.178.152.164
198.173.244.62
204.8.121.24

173.246.106.150
forum.xcpus.com
apparellogisticsgroup.net
ftp.celebritynetworks.com
portal.wroctv.com
ftp.videotre.tv.it
buildmybarwebsite.com

Update: I'd previously listed 195.110.124.133 on the blocklist which is a register.it parking server in Italy. That was probably overkill, you might want to unblock it and block ftp.videotre.tv.it instead.

No comments: