Trend Micro threat analysts found spammed messages that pretended to be a letter coming from the “boss.” The messages bore the subject “get back to my office for more details” and instructed users to extract and read the letter contained in the attached .ZIP file. The attachment, of course, does not contain a letter but an .EXE file (info.exe) detected by Trend Micro as TROJ_CUTWAIL.GT.
Upon execution, TROJ_CUTWAIL.GT creates registry entries to automatically execute at every system startup. It also drops a Trojan dropper detected as TROJ_DROPR.ST. Cutwail is known as the “spam engine” of the notorious botnet, PUSHDO, which spammed around 7.7 billion messages a day in the second quarter.
In the past few days or so, Trend Micro has reported various spam that used malicious attachments (ZIP or RAR) to hide malware. This suggests that old tactics never die and continue to be an effective way of infecting users. We blogged about this in the following posts:
- Spoofed Contract Carries Malware
- Fake Facebook Password Notification Leads to Malware
- FAKEAV Uses Conficker Worm as Bait
Users are advised to be wary when opening any attached file even if it comes from a person with authority or one’s “boss.” Trend Micro users are protected via the Trend Micro Smart Protection Network, which detects TROJ_CUTWAIL.GT and blocks the spammed email message. Non-Trend Micro products users can use free tools like HouseCall to stay secure from this attack.