HO HO HO Santa has a virus for you

This morning while triaging customer malware and spam samples I saw a variation on the typical click-the-link and get malware spam.

This one was Christmas themed, normally we would expect Thanksgiving themed spam before the Christmas glut.

The spam has a subject of “HO HO HO Santa has the best offer of the year for you” and contents of :

HO HO HO Santa has the best offer of the year for you
Hello, it’s me Santa Clause, I suppose you already know me, I have for you the most wanted offer of the year.
If you make an account on:
until the 5th December, you can choose one welcome gift from us for 50 Euros
from http://xxxx.xxx
and enter your validation code, which is: a91-valets-cloud-mad
(Only until the 5th December availible.)
This is our way to say Happy Holidays,

take your chance to feel the Christmas Anticipation
Santa Clause

The link if you were to follow it would attempt to install an EXE called santaclause.exe that is infected with W32/Parite-B an old Windows viruses whose only claim to fame is that it infected all 32-bit PE files.

UPDATE: A colleague asked what malware was under the W32/Parite-B infection so I had another look at the malware sample and it is a variant of Mal/Zapchas-A.

This particular spammer hasn’t been practicing Safe Hex and has gotten infected. Ha ha ha!