Trend Micro threat analysts were alerted to the discovery of spammed messages that purported to come from Media Service. The email bears the subject, “Congratulations,” and informs users that they won a Macbook Air. It also entices users to open the attached .ZIP file, which supposedly contains the details. Of course, the attachment does not hold any details but does contain an executable file (winner.exe) detected by Trend Micro as TROJ_AGENT.AWYQ.
When executed, TROJ_AGENT.AWYQ drops another malware detected as TROJ_CUTWAIL.GO. Cutwail/Pushdo is one of the most notorious spam botnets that sends around 7.7 billion emails a day. Pushdo variants are essentially downloaders, which first infects a system then downloads the Cutwail spam module (also owned by the same criminal gang). It also normally installs one or more different “Campaign Modules” or third-party malware from other malware groups, which account for the large number of observable differences between infections.
In addition, TROJ_AGENT.AWYQ connects to certain mail servers such as Yahoo!, Gmail, and Hotmail where it sends email attachments containing copies of the malware.
Users are strongly advised not to open emails from unknown sources, especially if they seem very enticing. Trend Micro secures users from this attack via the Smart Protection Network, which blocks the spammed messages and detects and deletes the malicious files.