Sophos Cloud Optix
Or perhaps the more festive title “Jingle All the Way ( …to a Cimuz infection)” ?
Overnight SophosLabs identified a malicious eCard spam campaign that was spoofing the legitimate AmericanGreetings.com service. The spam messages used in the campaign enticed recipients into clicking on the embedded link to view their card.
![[eCard spam]](http://news-sophos.go-vip.net/wp-content/uploads/sites/2/2007/12/ag-cim1.png)
Anyone who clicked on the link would not see their eCard, but instead a message informing them that an additional ActiveX control is required to view it.
![[Spoofed eCard site]](http://nakedsecurity.sophos.com/files/2007/12/ag-cim2.png)
Within the source of this page is the culprit – a malicious embedded object pointing a installation package hosted on the malicious domain.
![[Source for malicious object]](http://news-sophos.go-vip.net/wp-content/uploads/sites/2/2007/12/ag-cim31.png)
If the ActiveX control installation is authorised, the CAB package is retrieved and the file update.exe is extracted and executed (detection added as Troj/Cimuz-CS). This file proceeds to infect the victim with Cimuz.
flashupdate.exeis written to the temporary folder and executed- an attempt is made to connect to remote servers and download additional files
- at the time of writing, one of these files was available, and contained instructions of an additional URL to download from
Thankfully, the flashupdate.exe file is pro-actively detected as Mal/Cimuz-D:
![[Cimuz-D proactive detection]](http://news-sophos.go-vip.net/wp-content/uploads/sites/2/2007/12/ag-cim41.png)
The Cimuz family of Trojans is no stranger to this blog [1,2,3], but in recent months it has been pretty quiet. Clearly the group behind this latest attack are in need of a little financial top-up over the Christmas period. Don’t help them, follow the usual rules, especially over Christmas and New Year, when social engineering tricks may work that little too easily.