April Fools Dorf

April Fools Day is an opportunity for many to play practical jokes on each other. Unfortunately it’s not just harmless pranks, but malware authors are also jumping on the bandwagon.

Those behind the “Dorf” malware have decided to make use of “April Fools” day to launch another new spam/malware attack. SophosLabs spam traps were hit hard today by many messages with varying body and subject lines attempting to direct users to an IP based URI pointing to machine hosting malware.

Example subject lines include:

All Fools’ Day
April Fools’ Day
Doh! All’s Fool.
Doh! April’s Fool.
Gotcha! All Fool!
Gotcha! April Fool!
Happy All Fool’s Day.
Happy All Fools Day!
Happy All Fools!
Happy April Fool’s Day.
Happy April Fools Day!
Happy April Fools!
I am a Fool for your Love
Join the Laugh-A-Lot!
One who is sportively imposed upon by others on the first day of April
Surprise! The joke’s on you.
Today’s Joke!
Today You Can Officially Act Foolish
Wise Men Have Learned More from Fools…

While the content of the email did vary, the page itself seems to be remaining static, and is being detected as Troj/DorfHtml-B:


Which links you to a number of different filenames (e.g. “foolsday.exe”, “funny.exe”, “kickme.exe”) all detected as Troj/Dorf-BA.