NEWS FROM THE LAB - Thursday, October 30, 2008

Statements, Reports, Tracking Numbers and Tickets Posted by Patrik @ 16:02 GMT

Over the last 48 hours we've seen a huge increase in ZIP'd malicious e-mail attachments being spammed. The subjects have been:

Your Tracking #xxxxxxxx (where xxxxxxx is a random number)
New Ticket #xxxxx (where xxxxx is a random number)
Accounts Operations Report
Your Statement between 1/1/08 and 10/30/08

The ZIP file typically contains a file that looks like a document (.DOC) but it is really an EXE, there's just a lot of whitespaces between .DOC and .EXE.

Some of these ZIP files are protected by a password which makes it more likely to be allowed through an e-mail server. The password is always in the e-mail message so that the recipient can easily see it.

Using e-mail attachments has made a come back in popularity amongst malware writers during the last few months. We detect this latest batch as variants of the Worm:W32/Autorun family.