This is going to be one of those days where your average Trojan downloader get spammed at an approximate rate of a dozen per minute. We’ve just received another malware sample that downloads TROJ_SMALL.CPO and another yet unidentified file.
This downloader is attached to an email that uses social engineering to trick the users into opening the attachment. Presenting itself as an official looking email from a credit card service company, it instructs the user to verify the “payment details” contained in the attachment. The email details are as follows:

FROM:
Cihost Billing Management

SUBJECT:
[paycheck 322082] Credit Card Chargeback

BODY:
Sir,

We have received a notice from your card service stating that there was a chargeback made by the owner of the card that you paid for your account with. This is a very serious matter.

I have deducted the amount of the chargeback, GBP 102.10, from your account and added our standard fee of GBP 23.95 as well. (You can see your payment details in attachment.)

If there was some mistake, please let us know immediately so that we can get this situation resolved. We ask that you have the chargeback removed as soon as possible, as our account has already been debited for the amount in question.

If you would prefer to make your payment using a new payment method that would be fine as well (you can use a different credit card or you may send a money order payable to Cihost).

This is a time sensitive issue and must be resolved promptly at the request of the card service. Please email the billing team using the Web Administration Panel with information about how you are going to deal with this situation.

I thank you for your time and hope to hear from you soon.

See your payment details in attachment.

Sincerely,

Frank J. Cornwell

Cihost Billing Management

In light of the downloaders being spammed left and right, now might be a good time to reiterate a basic security practice: don’t open files attached to a suspicious email.

Note: A solution is currently underway for this threat and we’ll keep you posted for updates.

Update (Jasper, Wed, 23 Aug 2006 04:11:54 PM)
This threat will be detected as TROJ_SMALL.CPM. We’ll update you when the pattern is deployed.

Update (Jasper, Thu, 24 Aug 2006 10:00:22 AM)
The pattern for this malware has already been deployed in CPR 3.672.06.

Here’s social engineering at work again: an email with a suspicious-looking attachment is circulating around, claiming that it has information on recent terrorist acts in London and Edinburgh.

Of course, this not true as it is taking advantage of the media hype surrounding the terror plot that was prevented in Heathrow airport in the UK. The attachment is actually a Trojan that downloads another file (possibly another malware). The sample is being processed right now for analysis.

Here are the email details:

Subject:
New acts of terrorism in United Kingdom!

Body:
Today the Scotland Yard has informed on set of new acts of terrorism in London and Edinburgh! You can learn the detailed information in the attached file!

Note: Trend will be detecting the Trojan as TROJ_SMALL.CEI. Stay tuned for updates.

Update (Jasper, Thu, 24 Aug 2006 09:56:04 AM)
The pattern for this malware has been already deployed in CPR 3.682.01.