Plus ca change

Another day another Dorf campaign, this weekend saw another episode in the ongoing ‘storm’ of spam emails with links to download Dorf.

This variant of the spam is using the lure of Arcade Games to tempt users to download Mal/Dorf-E.


As you can see we detect the webpage proactively (Troj/JSXor-Gen). We also detect the executable proactively (Mal/Dorf-E). The only change SophosLabs were required to make was to update our Spam Genotype.

Plus ca change, plus c’est la meme chose. Dorf is changing but there is enough unchanged for our proactive detection to work.