Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

exe malware spammed under "Missile War" subjects

Published: 2007-04-08
Last Updated: 2007-04-09 07:29:17 UTC
by Daniel Wesemann (Version: 5)
0 comment(s)
If you're still not blocking EXEs on your email gateway, chances are your users are getting flooded by the latest scam at the moment. We're receiving reports of a "movie.exe" 95c563731b7828d6e98eae81ee08869f making the rounds, attached to emails with very "clickable" subject lines like "USA Just Have Started World War III" / "Missle Strike: The USA kills more then 20000 Iranian citizens" / "Israel Just Have Started World War III" / "USA Missile Strike: Iran War just have started".  You get the drift - the kind of friendly headlines you would expect to get on a peaceful Easter sunday.   AV coverage is nonexistent at this time, so be careful. Thanks to Mike for submitting the first sample of this critter!

Update 2000 UTC: Filenames "video.exe", "click here.exe", "clickme.exe", "readme.exe" and "read more.exe" are also used, and occasionally it is neither the USA nor Israel, but Iran who has started World War III. Lovely.
Other MD5: 4a32764f9165980e255a80ee63edf402 (Thanks, Ariel!)  and several other MD5 sums (19 and counting as of 0500 UTC)

Update 0500 UTC: AV coverage starting to become available:  W32/Tibs.ET@mm (Fortinet), Email-Worm.W32.Zhelatin.cq , (Kaspersky/F-Secure), W32.Dref.AF (Sophos), and Trojan.Small-1604(Clamav).  Of course also worth mentioning is Symantec, who (likely by sheer luck :) caught it early on, by detecting the packer: Trojan.Packed.13.
Keywords:
0 comment(s)
Diary Archives