Sponsored by..

Monday, 19 January 2015

Malware spam: "repairermessages@fmg.co.uk" / "Insurance Inspection Arranged AIG02377973" / "FMG Support Group Ltd"

This spam does not come from FMG Support Group Ltd, but instead it is a forgery. FMG are not sending out the spam, nor have their systems been compromised in any way. Instead, this spam has a malicious Word document attached.
From:    repairermessages@fmg.co.uk
Date:    19 January 2015 at 07:24
Subject:    Insurance Inspection Arranged AIG02377973

FMG is committed to reducing its impact on the environment. Please don't print this email unless absolutely necessary.

Have you been impressed by one of our people?
If so, we'd love to hear about it. You can nominate someone for a Spirit award by emailing spirit@fmg.co.uk

FMG Support Group Ltd. Registered in England. No. 06489429.
Registered office: FMG House, St Andrews Road, Huddersfield, HD1 6NA.

Tel: 0844 243 8888
Email: info@fmg.co.uk

This email may contain confidential information and/or copyright material. This email is intended for the use of the addressee only. Any unauthorised use may be unlawful. If you received this email by mistake, please advise the sender by using the reply facility in your email software.

Outbound Message checked by Websense Mail Control.
Attached is a Word document AIG02377973-InsuranceInspectionArranged.doc which comes in at least two different versions, neither of which are detected by AV vendors [1] [2]. These documents contain two slightly different malicious macros [1] [2] which attempt to download a further component from:

http://chilan.ca/js/bin.exe
http://techno-kar.ru/js/bin.exe

This is saved as %TEMP%\324234234.exe which has a VirusTotal detection rate of 2/57. The Malwr report shows it attempting to communicate with the following IPs:

59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)


These two IP addresses have been used by this malware for a long time, I strongly recommend you block them. Also, a malicious DLL is dropped on the infected system with a detection rate of just 2/53.
 

4 comments:

Hire My Wedding Supplier said...

Hi Conrad,

Great post - apart from one thing....

...we opened the email!?

What do i need to do? How can i get rid of it? Im doing a scan with AVG as we speak but I didnt want to log into my bank to change the password just incase they got the new passwords?!

Conrad Longmore said...

@HMWS: the macro will infect you only if you allow macros to run in Word. The indicator of infection is a file %TEMP%\324234234.exe (%TEMP% is the location of your temporary files folder, e.g. C:\Users\Yourname\AppData\Local\Temp).

If you think you are infected and you are not an expert, then it is best left to your anti-virus software to clean up, but they won't have updated their products yet. The best think to do is wait at least 24 hours before attempting an automatic cleanup.

Hire My Wedding Supplier said...

Thanks Conrad

Nothing showing there similar apart from:

6F11B312-ED58-46A7-A6F3-A5B920F8BA37 (19/01/2015)
8b9B2 (19/01/2015)
div6547.tmp (19/01/2015)
TCD807B.tmp (19/01/2015)

Do they ring any alarm bells?

Its Word 2013 so i dont know about the open or run macros settings?

Conrad Longmore said...

@HWS: looks like you should be clean, Word 2013 has macros disabled by default for that sort of document. Check with the F-Secure online scanner to be sure.