The Chepvil malware which comes via email as an attachment is using another trick to spread itself. You may receive an email stating to be from IRS.gov and with the subject line – “IRS Notification Letter”. The email is as shown below:
The attachment comes with the name ‘IRS document.rar’. Upon extraction, the user gets an executable file with a PDF file icon.
If a user opens this executable file, it then downloads one of these files – ‘pusk.exe’/’pusk2.exe’/’pusk3.exe’. As we can see from the http traffic:
The file pusk*.exe works as a rogueware application Windows XP Repair as shown below:
As usual, it displays fake threat messages on the screen and thus forces the user to register the product in order to remove these fake threats.
If you come across such emails do not open the attachments with them. Instead, delete them and keep your antivirus updated. Quick Heal detects the malicious attached file as Trojan.Chepvil.K and also blocks the domain. So our users are already protected.
We recommend that users do not open such attachments from unknown and suspicious looking emails.