Recently, our statistics show that users are more vigilant about email attachment, not opening the attached file straight away. Perhaps that’s why bad guys have made some apparent improvements in their scam to increase the chance of recipient’s opening.
Let’s take a look at a pair of spam emails among numerous ones that our Honeypot has collected recently:
Figure 1: The first email in the scam
Figure 2: The second email in the scam (sent some time later)
Have you noticed the relation between these two emails? The first one does not include any file attachment; its sole purpose is to attract users to an interesting story: a person who knows you via the Internet wants to befriend with you and will send you some photos. Once you believe in the story, you may not hesitate to open the attachment upon receipt of the second email. And at that time it’s sad to say: your computer has been infected with virus.
Apparently, with this new scenario, the send-receive email interaction and the attractive story enable bad guys to attain their malicious purpose, heightening the possibility of opening attached files.
This virus (detected as W32.FakeHotpics.Worm by Bkav) once executed will download FakeAV from http://webcontrol-panel.us/l[removed]atch/softpatch.php?afid=154.
P/S : Many thanks to MinhNQb – my colleague for his virus analysis
Nguyen Cong Cuong
Senior Malware Researcher