Oct17
8:19 pm (UTC-7)   |   by Joey Costoya (Advanced Threats Researcher)

There’s another wave of malware-bearing spam. This time, the spam claims that “new clauses” have been added to the legislation regulating your online activities.


Figure 1. Spam sample

Attached in the spam email is the zip file Legislation.zip, which contains Legislation.doc{several whitespace characters}.exe. Yes, this is the age-old double-extension trick which uses a LOT of whitespace to hide the final .exe extension. As the screenshot below shows, the whitespace padding is enough to fool unsuspecting users to double-click the seemingly harmless .doc file inside the ZIP file.


Figure 2. Screenshot of spam attachment contents

Trend Micro Smart Protection Network detects the malware as TROJ_AGENT.DAM.

It must be noted that there was an earlier legislation spam wave earlier this month, with a different email attachment (Legislation-25.doc.exe inside a Legislation.zip attachment) that is already detected as TROJ_AGENTT.Q.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Friday, October 17th, 2008 at 8:19 pm and is filed under Malware, Spam . You can leave a response, or trackback from your own site.



Leave a Reply


Your eTicket Makes a Worm Fly
Clickjacking Woes


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice