As everyone knows, new Japanese Prime Minister Mr. Yasuo Fukuda has just been appointed and already a suspicious email supposedly coming from the new PM is making its rounds.

The said email message comes with the attachment named MOFA.ZIP, which looks like the following when uncompressed. It uses the icon for MS Word but instead of using the normal .DOC extension, it uses .EXE:

Once MOFA.EXE is executed, MOFA.DOC opens. Part of the new Japanese Prime Minister’s official Web site is saved in the said .DOC file. The said content uses a font called SimSun, which can display Chinese characters on Japanese platform, or Japanese characters on a Chinese platform. On Windows XP systems, this font can be displayed normally. However, on Windows 2000 platforms with MS Word 2000 version, the result is the following:

When you check “Property”, you can see some Chinese characters in the name field:

It is most probable that the opening of this document is a trick to distract users. It is possible that when the document opened, malicious activity is started in the background. The said .EXE file is detected by Trend Micro as BKDR_DARKMOON.BG.

As of now, a warning about has been issued regarding this suspicious email message. It may be found on the official Web site of the Japanese PM.

Users are advised to not open attachments that are not expected or from suspicious senders.
Additional information from the Japan Regional TrendLabs