Fake Conflicker.B Infection Alert puts internet users at risk

The global network of spamtraps controlled by the experts inside SophosLabs are seeing a swarm of attacks today, posing as an email warning about the Conficker worm.

Here is a typical message that has been spammed out by hackers:

Malicious email posing as a warning about the Conficker worm

Subject: Conflicker.B Infection Alert
Attached file: open.zip

Message body:

Dear Microsoft Customer,

Starting 12/11/2009 the "˜Conficker' worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

Opening the file attached to the email (in this case it’s called open.zip) infects your computer with malware which Sophos detects as Mal/EncPk-KW.

The wording is nearly identical to a similar attack I blogged about last October.

What surprises me is that during the last few months the hackers behind the attack appear to have made no effort to fix mistakes in their disguise – for instance, it should say Conficker in the subject line not Conflicker!

I can only presume that they’re counting on their potential victims not spotting that typo. It certainly has not stopped the cybercriminals from sending out the infected messages en masse today. Presently this malicious spam campaign is one of the most commonly seen examples of file attachment malware being spread around the world:

Examples of the malware caught in Sophos's traps