PDF spam phones home to Sality malware family

Filed Under: Malware, PDF, SophosLabs, Spam

telephoneRemember all those long distance phone calls we made? No, me neither - so if you see an email asking you that same question, don't open it.

The spam messages have a subject of "phone calls" and look like this:

Hey man..

Remember all those long distance phone calls we made.
Well I got my telephone bill and WOW.
Please help me and look at the bill see which calls where yours ok..

There's an attachment called "PhoneCalls.pdf" which Sophos detects as Troj/PDFJs-II. This file tries to exploit an old vulnerability in how Adobe Reader handles TIFF images (CVE-2010-0188, APSB10-07) to download and execute more malicious code.

In fact the code it downloads is detected as Troj/SalLoad-B, which goes on to load the Sality virus into memory. We've talked about this particularly nasty virus several times in the past, not least its unfortunate tendency to corrupt files during infection, so it's a nuisance to see it aggressively seeding in this way.

Of course you can help stop Sality from making those long-distance phone calls - just make sure your Acrobat Reader and AntiVirus are up to date, and careful what attachments you open!

Image source: KirrilyRobert's Flikr photostream (Creative Commons 2.0)

, , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s