MP3s of wiretapping? Not really.

Overnight SophosLabs received samples of yet another password stealing Trojan that has been mass-spammed to users. The social engineering used in the email seeding is something of a throwback to the days of W32/Bagle – the email attachment is a password-protected RAR archive, and the password required for extraction is contained in the message body:


Of course, perhaps the rather intriguing message content will trick recipients into extracting the malicious archive. If they do, they will see a single file within, with an MP3 extension (for example call234.mp3).


The file is not an MP3 however, but a malicious Trojan self-extracting installer that is intended to drop and execute another Trojan when run. (In our tests the Trojan was not executed successfully due to its use of a .mp3 extension. I assume the authors were intending to use a double extension.)

Just another example of the bad guys using the same old social engineering tricks to fool users into running malicious code. Fortunately, Sophos products proactively detect the dropped Trojan as Mal/Packer so even if any users are tricked into extracting the RAR archive, they will not infect themselves.