TrendLabs has recently received samples of TROJ_AGENT.IQN being spammed in email messages supposedly coming from IKEA Deutschland. Consitent with the “Rechnung” Trojans’ social engineering technique, the mentioned spammed message asks target recipients to verify the attached billing statement (which is actually the Trojan copy disguised as a PDF file). However, once the user opens the attachment, TROJ_AGENT.IQN connects to several URLs to download another Trojan detected as TROJ_AGENT.ISP. IKEA, of course, is a well-known furniture superstore in Europe and the United States, so its no surprise the Rechnung gang are out shopping for a fresh batch of targets. It’s a move reminiscent to that HAXDOOR backdoor targeting Wal-Mart customers: when there’s shopping money involved, the probability of users clicking on the attachment high. Here’s another thought: IKEA is based in Sweden. Makes one wonder if we will be seeing a Nordic version of the spammed message soon… Trend Micro recommends users to avoid opening the attachment on email messages bearing the following subjects:

• Ihre IKEA Bestellung
  
• Rechnung IKEA 10.2.2007