Since late last week, we have been observing a fair number of spams with a Trojan payload, purporting to be a money transfer notification from Western Union. The spam looks like this (the attachment in this screenshot has been stripped by a scanner -- the actual attachment should read "Western Union Information.exe":
The text may read something like this:
Dear Mike
Total of #3750 has been transferred by western union
MTCN number is 007-188-6024.
Enclosed is the western union sheet
Robert
or
Dear Mike
Total of $3750 has been transferred by wetern union
The MTCN number is 007-188-6024.
Enclosed is the transfer sheet
I hope this settles my transfer
Robert
The payload is Trojan.Perfloger. There are many other descriptions. A VirusTotal scan is here:
http://www.sunbelt-software.com/ihs/alex/virustotalperflogger.pdf
After the Trojan is executed, the user sees a text file:
But that, of course, is the least of their problems.
An analysis of the program is on the Sunbelt Sandbox, here:
http://research.sunbelt-software.com/ViewMalware.aspx?id=2854232
The text may read something like this:
Dear Mike
Total of #3750 has been transferred by western union
MTCN number is 007-188-6024.
Enclosed is the western union sheet
Robert
or
Dear Mike
Total of $3750 has been transferred by wetern union
The MTCN number is 007-188-6024.
Enclosed is the transfer sheet
I hope this settles my transfer
Robert
The payload is Trojan.Perfloger. There are many other descriptions. A VirusTotal scan is here:
http://www.sunbelt-software.com/ihs/alex/virustotalperflogger.pdf
After the Trojan is executed, the user sees a text file:
But that, of course, is the least of their problems.
An analysis of the program is on the Sunbelt Sandbox, here:
http://research.sunbelt-software.com/ViewMalware.aspx?id=2854232