The SonicWALL Email Security team intercepted a series of malware attacks.
1
This email spoofs Microsoft, carrying a link to an executable file and some blathering background info that includes helpful instructions for facilitating the download and installation of the malware The URL is at pop3.ru, specified as remtool_conf.exe
Excerpt from the message body - note that the user is instructed to disable anti-virus software:
----------------------------------------------------------------------------------------------------
Usage Instructions:
download file
click remtool_conf.exe and let it scan..
you are advised to disable your already existing antivirus software prior to running the removal tool to avoid conflicts.
-----------------------------------------------------------------------------------------------------
2
In another spoof of Microsoft, the spammers present a more credible content, maybe a verbatim copy from Microsoft’s own announcement. The link text shows a real Microsoft URL, but rolling over the link reveals that the URL goes to domain ijj1hji.com, whose name fits a group of domains used recently in heavy phishing and malware attacks.
3
Sent in large numbers, this attack spoofs UPS, urging recipients to print an invoice in order to obtain their undelivered parcel. The link makes no attempt to hide its executable file /invoice7788_.exe. Subjects include the words “Your Tracking” followed by # and an eight-digit number, the numbers change from one instance to another.
4
This attack does not spoof any specific entity; it simply asks the recipient to view an account statement. The content of the link indicates that the attack is probably related to the UPS attack: /report_7070.exe
