Sponsored by..

Friday 24 April 2009

"WorldPay CARD transaction Confirmation" (again)

A repeat of a trojan spam run from a few months ago ,this fake "WorldPay CARD transaction Confirmation" email comes with a nasty payload.

Subject: WorldPay CARD transaction Confirmation
Date: Fri, April 24, 2009 5:28 pm

Thank you!

Your transaction has been processed by WorldPay, on behalf of Amazon Inc.
The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Amazon Inc has received your order,
and will inform you about delivery.
Sincerely,
Amazon Team

This confirmation only indicates that your transaction has been processed
successfully.
It does not indicate that your order has been accepted.
It is the responsibility of Amazon Inc to confirm that
your order has been accepted, and to deliver any goods or services you have ordered.
In this case there was a ZIP file called WorldPay_NR9712.zip (the filename may vary) with an executable in named WorldPay_NR9712.exe. When unzipped it looks a bit like a Windows Help file.

Detection rates are very poor, with only Microsoft flagging it up as something specific (PWS:Win32/Zbot.M). The ThreatExpert prognosis also indicates that it is malware (by the way, if you are dealing with an infected machine the ThreatExpert report can help you clean it up).

If you can, it is always a good idea to block EXE-in-ZIP attachments at the perimeter.

No comments: