Sponsored by..

Thursday 24 October 2013

"My resume" spam / Resume_LinkedIn.exe

This rather terse spam email message has a malicious attachment:

Date:      Thu, 24 Oct 2013 15:45:37 +0200 [09:45:37 EDT]
From:      Elijah Parr [Elijah.Parr@linkedin.com]
Subject:      My resume

Attached is my resume, let me know if its ok.

Thanks,
Elijah Parr

------------------------

Date:      Thu, 24 Oct 2013 19:14:37 +0530 [09:44:37 EDT]
From:      Greg Barnes [Greg.Barnes@linkedin.com]
Subject:      My resume

Attached is my resume, let me know if its ok.

Thanks,
Greg Barnes 
The attachment is Resume_LinkedIn.zip which in turn contains a malicious executable Resume_LinkedIn.exe with an icon to make it look like a Word Document rather than an executable.

VirusTotal is timing out at the moment, but earlier only one AV engine detected it (Norman). Automated analysis tools [1] [2] show an attempted connection to homevisitor.co.uk on 64.50.166.122 (Lunarpages, US). This server was distributing malware last month too, so we must assume that it is compromised. Blocking that IP address would probably be a good idea as there are several other compromised domains on that same server [1] [2].

4 comments:

Drew Martell said...

I just got one in my spam at 9:45AM

My resume
Jermaine Wilson

Attached is my resume, let me know if its ok.

Thanks,
Jermaine Wilson

Drew Martell said...
This comment has been removed by the author.
Unknown said...

Great tips. very well-written, keyword-oriented and incredibly useful. its really interesting to many readers. I really appreciate this, thanks

PPI claims

Unknown said...

I was talking to someone and I wasn't paying attention and opened the zip file and clicked to open the file inside when I saw the "exe" extension. I quickly closed the window, but I don't know if the damage was already done. Has anyone opened the exe file completely. Does it display anything or is it all in the background? I have the Microsoft Essentials Anti-virus. I always assumed that it asks for permission to make any changes to the computer with an "exe" file. Is the assumption incorrect?