Attachment spam has so far run the gamut from PDF to XLS, RAR-compacted TXT, FDF, and RTF. The Trend Micro Anti-Spam Engine (TMASE) recently caught the newest addition to the list: DOC spam.

While most of the earlier forms of attachment spam–with the exception of RTF–were stock spam that promoted certain companies so that their share price would rise, this one is simply advertising a couple of impotence medicine that need not be mentioned lest we inadvertently endorse it.

What’s worth mentioning is that the spammed email messages carrying the DOC attachments also bear a “warning,” which informs recipients that the document is only available for a limited time (3 days). It also uses catchy subjects and document file names like “Private Message” and “Confidential Message,” clearly tugging on recipients’ sense of urgency to get them to open the attachments straightaway.

Opening the DOC attachment downloads no malware. Clicking on the URL within the attachment does not lead to a malicious site either. The Trend Micro Content Security (CS) team does not see many samples, but users would do well to be aware of spam’s many new forms to protect themselves and their assets (machines, money, etc.) as the next slew of .DOC spam could already be malicious.

Apart from .DOC spam, the CS team also caught samples of “one-word” spam–so named because of its use of one random word for its subject and message body:

Given its lack of obvious motives (apart from flooding inboxes), it is postulated that this type of spam is either malware-related, or is just “pre-spam” spam. That is, its main purpose is to simply fish for valid email addresses. Once the addresses are validated, then perhaps that’s the time spammers will send the more profitable messages. Or in the case of .DOC spam, attachments.

Data provided by Trina Baetiong and Lala Manly.

Additional text by Paul Oliveria.

A new wave of NUWAR is worming its way into inboxes with thousands of emails being sent. The worm acts in two waves. Firstly, it is sending out a wave of emails similar to the one below, purporting to offer downloads of the Tor Anonymous Proxy. If the user follows the link in the email, they will not be taken to the official site for the legitimate Tor application, but instead be redirected to a fake site that displays the following: Once the user clicks the â??Download Torâ?? button, they are given a NUWAR variant that is proactively detected as POSSIBLE_NUCRP-4, and which has the file name TOR.EXE. As with previous examples of this threat, the Web site also contains multiple exploits to attempt to download this file automatically. This is just the latest in a long line of NUWAR creators’ social engineering ploys, which has seen them try everything from eCards, to BETA testing software and even YouTube videos.

Update: TrendLabs detects the said .EXE file as WORM_NUWAR.AQL with the latest pattern file.

This information was provided by Robert MacArdle from the European TrendLabs