Sponsored by..

Wednesday, 4 December 2013

Fake Amazon.co.uk spam / Order details.zip

This fake Amazon spam comes with a malicious attachment:

Date:      Wed, 4 Dec 2013 11:07:00 +0200 [04:07:00 EST]
From:      "AMAZON.CO.UK" [SALES@AMAZON.CO.UK]
Subject:      order ID718-4116431-2424056

      Good evening,  Thanks for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.  

  
   Order Details
      Order ID757-7743075-1612424  Placed on December 1, 2013 Order details and invoice in attached file.
  
       Need to make changes to your order? Visit our Help page for more information and video guides.  
  
       We hope to see you again soon.   Amazon.co.uk 
Attached is a ZIP file Order details.zip which in turn contains a malicious executable Order details.exe which has a VirusTotal detection rate of 15/49. Automated analysis tools [1] [2] are fairly inconclusive, but do show some apparent traffic to 79.187.164.155 (TP, Poland) plus the creation of a key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Start WingMan Profiler to run the malware at startup.

6 comments:

Unknown said...

Weird received one also and what caught my attention is that its not even my e-mail addy. ?quentonsumlin@yahoo.com? .Figures it was phishing or hack e-mail. I know some are still vulnerable so good your warning people about it!!

Emma A. said...

I was waiting for a response from an amazon vendor about an order placed on Dec 9 and STUPIDLY clicked on the zip file. I didn't actually open the document. I found it in my download folder and ran the "Secure Empty Trash." Is there anything else I should or could do??

Irina said...

I did too, not only opened it, but clicked to download attachments. Epic stupidity, since i noticed some differences from regular amazon mail. I cannot find files anywhere on my phone, how do i get rid of this virus ? Any help would be appreciated

davidhb said...

This... would be more useful if it were to contain information for the poor users who have already clicked on the link...

personally I have a mac, but am searching to help a friend clean up his PC.. does anyone know how to resolve this??
thanks

davidhb said...

it would be far more useful to supply information for the poor users who have mistakenly loaded the malware on their PCs..

I am searching (from my MAC) to help a friend remove this, and apart from marketing AVs I've not yet seen anything useful.

Does ANYONE know what needs to be done?

Conrad Longmore said...

@davidhb, the problem with the malware is that it morphs with every new campaign, there are a couple of links to automated analysis reports in the post, however, one key area to look at is unusual entries in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ and perhaps upload the samples to VirusTotal.com to see if they are malicious.