Another swine flu-related spam run was recently reported, this time targeting Japanese users. Aside from using the swine flu as its social engineering method, which has already been used in earlier spam runs, this spam run also uses a technique where the sender of the message appears to use the .yahoo.co.jp domain. This serves not only as a means to evade spam filters, but also to further fool the users that the message is legitimate, thus convincing them to open an attached malicious file.
Spammed messages with the subject Warning of Swine Flu claiming to be from the National Institute of Infectious Diseases, encourages users to open an attached .ZIP file, to “learn” more about the pandemic (detection available as TROJ_PIDIEF.UA and TROJ_PIDIEF.TY). Our engineers have verified that TROJ_PIDIEF.TY drops and executes BKDR_KUPS.G.
The real National Institute of Infectious Diseases issued a warning of the fake spam messages on their website to alert users who may get the deceiving message.
Here is a translation of the text contained in the spam message:
From: National Institute of Infectious Diseases firstname.lastname@example.org
Subject: Warning of Swine Flu!
Attached file name: Information on the swine flu
The swine flu has been spreading. Infection cases in UK were reported, following the cases in Mexico, US, Canada and Spain. Although the measures against the flu have been conducted globally, possible infection cases are reported from many countries. One such report has been heard from Korea on 28th. The infection has likewise been ongoing for weeks in Mexico. Some experts say that there is a possibility that the flu has already arrived in Japan. We should protect ourselves by learning more on the swine flu.
National Institute of Infectious Diseases
Users are strongly advised not to judge the legitimacy of an email simply by its content.