Blog
Ranjeet Menon

MasterCard spam leads to Fake AV

July 28, 2011
0
Estimated reading time: 2 minutes

We’re seeing a significant “spam attached malware” campaign in the past 48 hours with different attachment MD5s.

3305f83abf31fc66fa8f588b35be8eb2
8e3331b64a5884e1ef4f4c8a3d09bc7a

The username portion of the email sender is random, using a classic misspelling that has been consistent. Usernames are a single word, followed by a “.”, “_” or “-“, followed by a two or three digit number. The most popular words (by far) are “manager” and “support”, but we’ve also seen “admin”, “administration”, “alerts”, “cunsumer”, “delivery”, “e-file”, “finance”, “frboard-webannouncements”, “govdelivery”, “information”, “inspector”, “news”, “news-alerts”, “no-reply”, “protection”, “public”, “report”, “service”, “stats”, “subscriber”, “subscriptions”, “usttb” and “webannouncements”.

The attached file is actually named as a “.com” using a random seeming filename in the format “id” followed by a 5-7 digit number (such as id918538.com).

When the file is launched, it attempts to make a connection with any of a long list of domains that are probably made by a “DGA” or “Domain Generation Algorithm”. It’s likely that at different times or days this list would be different. The purpose of the malware seems to be just another fake anti-virus product. Here’s the scan that kicked off:

After the scan, as expected, I was constantly reminded of the grave danger I was in:

By using Quick Heal Total security, such fraudulent emails get tagged as spam and users stay protected.
Quick Heal also detects malicious attachments and the installed rogueware files.

Have something to add to this story? Share it in the comments.

No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image