Senior Anti-Malware Security Specialist Rainer Link has reported receiving a peculiar email notification. And it masquerades as being sent by PayPal.
Below is a screenshot of a sample spam email:
Alice Decker, Trend Micro Advanced Threats Researcher, has translated the German text:
Good Morning,
Your order Nr. SP1239192 is now executed.
An amount of 6336.09 EURO was debited directly and it will be shown in your Paypal debit entry. You may find attached the details of the invoice.PayPal (Europe)
S.447; r.l. & Cie, S.C.A.
01-81 Boulevard Royal
L-0342 LuxembourgGreetings,
CEO: Mia Mayes
Trade register number: R.C.S. Luxembourg B 212 106
Trend Micro detects the attached ZIP file, which masks itself as a file detailing the invoice of the said transaction, as WORM_OTORUN.C. This worm propagates by dropping copies of itself into removable drives and connecting to certain Web sites to download possibly malicious files.
What is remarkable about this attack, said Decker, is that a worm is sent via email (which hasn’t been the norm). It can also be said that the attack is becoming more diverse, since past schemes involved sending via email downloaders that dropped browser hijacker Trojans (TROJ_BZUB variants), whereas more recently we have been getting downloaders of hijackers with rootkit capabilities (like the WNSPOEM malware) and now, worms.
Additionally, the email message body suggests that a new criminal organization outside Europe triggered this attack, added Decker.
Rechnung spam runs have been hitting users since 2006, and has been observed to be making a comeback during the second half of 2007.
Other such attacks in the past:
• Another Yabe Wave
• IKEA “Rechnung” malware shops for new targets
• New WORM_NUWAR.CQ variant, new faked 1&1 bills, new faked “KD Webshop Bestellung”
• Yet Another “Bill” from Ebay