Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Senior Anti-Malware Security Specialist Rainer Link has reported receiving a peculiar email notification. And it masquerades as being sent by PayPal.

    Below is a screenshot of a sample spam email:


    Alice Decker, Trend Micro Advanced Threats Researcher, has translated the German text:

    Good Morning,
    Your order Nr. SP1239192 is now executed.
    An amount of 6336.09 EURO was debited directly and it will be shown in your Paypal debit entry. You may find attached the details of the invoice.

    PayPal (Europe)
    S.447; r.l. & Cie, S.C.A.
    01-81 Boulevard Royal
    L-0342 Luxembourg

    CEO: Mia Mayes
    Trade register number: R.C.S. Luxembourg B 212 106

    Trend Micro detects the attached ZIP file, which masks itself as a file detailing the invoice of the said transaction, as WORM_OTORUN.C. This worm propagates by dropping copies of itself into removable drives and connecting to certain Web sites to download possibly malicious files.

    What is remarkable about this attack, said Decker, is that a worm is sent via email (which hasn’t been the norm). It can also be said that the attack is becoming more diverse, since past schemes involved sending via email downloaders that dropped browser hijacker Trojans (TROJ_BZUB variants), whereas more recently we have been getting downloaders of hijackers with rootkit capabilities (like the WNSPOEM malware) and now, worms.

    Additionally, the email message body suggests that a new criminal organization outside Europe triggered this attack, added Decker.

    Rechnung spam runs have been hitting users since 2006, and has been observed to be making a comeback during the second half of 2007.

    Other such attacks in the past:
    Another Yabe Wave
    IKEA “Rechnung” malware shops for new targets
    New WORM_NUWAR.CQ variant, new faked 1&1 bills, new faked “KD Webshop Bestellung”
    Yet Another “Bill” from Ebay

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice