All Work And No Play Makes Dorf Spammer … Er … Irritating!

As my colleague in Australia wrote the Dorf campaign has been relentless thus far over the festive period.

The Dorf scam has now begun to focus on a “New Year” theme, a bit too early. Perhaps the Dorf spammer is still suffering from ACS.

The spammed messages encourage the user to visit the site that hosts the malware:


The site itself is incredibly uninteresting in terms of content:


The link points to a file called happy-2008.exe, the newest variant of the Dorf family.

What is highly unusual is that the new sample is not packed in any way. We at SophosLabs suspect that this is in response to the fact that many anti-virus vendors, including ourselves, have very good proactive detection of suspicious runtime packers. It appears as though the new campaign deliberately avoids using a packer to elude proactive detection. We have, however, updated our proactive detection of Dorf to encompass the new strain as well as Mal/Dorf-H.

By the by, whilst we are on the subject of proactive detection, last week my colleague in the UK mentioned the superfluous Pushdo campaign which tends to manifest itself exclusively on Wednesdays. Well, we have not seen the Pushdo campaign today (ie Boxing Day) but we did see the campaign yesterday, Christmas Day itself. Needless to mention, we still detect the associated malware sample as Troj/Pushdo-Gen. The Pushdo author might as well have enjoyed his Christmas pudding rather than attempt to inflict misery on the public in a most uncharitable fashion.