Infectious invoices

One of the most common forms of malware distribution en mass is to spam it out with some enticing message however as administrators slowly lock down their spam rules and block questionable content the malware authors are needing to continually find new tricks…

One tried and tested method is the encrypted zip, as it prevents scanners from examining the archive content while still maintaining a perception of being legitimate. The password of course is in the message body which the recipient (often without thinking) employs with rather dire consequences.

In order to sound appealing, many of these new-wave spams relate to invoices, statements or UPS/FedEx tracking.

In a new twist however the latest round of such spammed Trojans are infected with the W32/Parite-B parasitic virus. Whether this is an indication of an infected malware author or a deliberate attempt to add yet another layer is unclear. From my perspective, infecting anything with an old parasitic that is widely detected sounds silly but as long as our customers are protected does it really matter?

Once the infection is removed we detect the underlying worm as W32/Womble-E (and we even make efforts to detect the zip with Troj/Invo-Zip)

The most surprising thing about all this is that no matter how many hoops and obstacles are required to extract, decrypt and respond to something that is obviously bogus, people still do!!!