Recently, there have been junk emails faking United States Postal service, informing that one Postal Pakage is faulty. The email requires users to fill in an attached file whose icon looks like the icon of an ordinary Excel file. Actually, this is a malicious file which takes advantage of user’s incaution to execute virus and inject malicious code to user’s computer.
Figure 1: Email’s content
To bypass users’ spam filter, this spam email contains an image file instead of a text file like usual.
Up to the writing time, not many AVs have been able to detect the virus spread by this email. http://www.virustotal.com/file-scan/report.html?id=a784d80e1d0cda2cfe9f9fc5325d42825c3171e96954c7d54760fca50d492f65-1285638618
Upon execution, this virus (detected as W32.FakeUSPS.Worm by Bkav):
- Dumps file Dll: %System32%\bfky.ojo.
- Modifies the value of key [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell] by inserting "bfky.ojo" to this key’s value to execute virus on computer’s startup.
- Receives commands from control server: micro-viagra.ru
Users are recommended to be more cautious on opening file attached with emails of unknown origin or emails with unauthenticated content.
Nguyen Van Sao