IMG0893.zip - Your photo all over Facebook? Naked? Malware campaign spammed out

Filed Under: Featured, Malware, Spam

SophosLabs is intercepting a spammed-out malware campaign, pretending to be an email about a revealing photo posted online of the recipient.

The emails, which have a variety of subject lines and message bodies, arrive with an attached ZIP file (IMG0893.zip) which contains a Trojan horse.

Malicious email

Subject lines used in the spammed-out malware campaign include:

  • RE:Check the attachment you have to react somehow to this picture
  • FW:Check the attachment you have to react somehow to this picture
  • RE:You HAVE to check this photo in attachment man
  • RE:They killed your privacy man your photo is all over facebook! NAKED!
  • RE:Why did you put this photo online?

Subject lines used in the spammed-out malware campaign

The message bodies contained inside the email can also vary. Here are some examples:

  • Hi there ,
    I got to show you this picture in attachment. I can't tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who's that dude??.
  • Hi there ,
    I have a question- have you seen this picture of yours in attachment?? Three facebook friends sent it to me today... why did you put it online? wouldn't it harm your job? what if parents see it? you must be way cooler than i thought about you man :)))).
  • Excuse me,
    But i really need to ask you - is it you at this picture in attachment? I can't tell you where I got this picture it doesn't actually matter... The question is is it really you???.

You can imagine how some people would react if they received a message like this in their email. Many might open the attachment out of curiousity (or even with trepidation that a private photo had leaked onto the internet!) and end up having their Windows computer infected as a result.

Sophos products protect users against the threat, detecting it as Troj/Bredo-VV and Mal/BredoZp-B.

The Bredo Trojan is nothing new, and we regularly see variants of it spammed out widely across the internet using a variety of social engineering lures to trick users into opening the dangerous attachment.

Keep your wits about you, and your anti-virus up-to-date, and you should have little to fear.

,

You might like

10 Responses to IMG0893.zip - Your photo all over Facebook? Naked? Malware campaign spammed out

  1. Gary · 865 days ago

    Just got it. Trend Micro is not detecting it.

  2. Ben · 865 days ago

    I stopped feeling sorry for people who still fall for this crap a long time ago - especially the "It doesn't matter 'cause I have a Mac" people. Ugh. Let 'em find out the hard way.

    • Nigel · 862 days ago

      How about, "It doesn't matter because I have a Mac running Sophos Anti-Virus, I don't use Facebook, and I don't open stupid messages like the ones shown above."

      Of course, the same is true when I work on a PC with a good anti-virus application and up-to-date software patches and virus definitions. I don't do stupid things there either.

      It has nothing to do with one's operating system. I don't understand why ANYONE would think they're immune to malware in this day and age...well, other than sheer irresponsibility. If you think that characteristic is limited to Mac users, you should check your assumptions.

  3. roll · 864 days ago

    Can you upload to virustotal? I am curious the detection rate.

  4. Ridiculouse How · 864 days ago

    I knew it that Graham Cluley was in the illuminati hence the 1 eye picture.

  5. Jim J · 863 days ago

    Sheez! Dump Facebook and be done with it. I have been viewing Sophos for several years.without seeing a single Facebook scam. However, within the past year, not many days go by without a scam or two. Gullible folks should not be involved in social sites.

    Also, I'm weary of the ignorant celebs whining about their naked photos appearing on sites without their knowledge, Well, why do have those photos on their phones. Surely they are sharing with someone..

  6. rocky · 862 days ago

    Had a couple of these coming through normal email. Latest one from;
    Evan Jennings <questioningh10@fiemg.com.br>

    Text field states "Excuse me ,
    But I really need to ask you - is it you at this picture in attachment? I can't tell you where I got this picture it doesn't actually matter... The question is is it really you???.

    Conatined a IMG 0962 zip attached file which contaned a Troj/DwnLdr-JXD

  7. The variation I got was this "but this chick looks a lot like your ex-gf. "

    Kind of odd... as I am a GIRL!

    The warning message popped up with this: Virus scan did not complete.
    Virus detected. So I didn't.

  8. Kris · 827 days ago

    Ugh 'Ive had two this week. Warning to anyone out there. If u get a suspect email, just copy and paste it into a search engine and see what comes up. You will usually find forums mentioning them. WHY do people do this?

  9. A FB friend's account sent this ZIP to me via FB private message. I asked her if she sent it. She said no, but that she had had others complain.

    I told her to reset her FB password and check APP permissions. She says she does not allow any apps.

    I sandboxed the zip in a Virtual Linux instance with no access to local machine and looked at the zip contents. Not an expert other than recognizing a JAR file and some JS the meant nothing to to me.

    What can she do so that her FB will stop sending the messages and is her computer infected?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.