PDF spam phones home to Sality malware family

telephoneRemember all those long distance phone calls we made? No, me neither – so if you see an email asking you that same question, don’t open it.

The spam messages have a subject of “phone calls” and look like this:

Hey man..

Remember all those long distance phone calls we made.
Well I got my telephone bill and WOW.
Please help me and look at the bill see which calls where yours ok..

There’s an attachment called “PhoneCalls.pdf” which Sophos detects as Troj/PDFJs-II. This file tries to exploit an old vulnerability in how Adobe Reader handles TIFF images (CVE-2010-0188, APSB10-07) to download and execute more malicious code.

In fact the code it downloads is detected as Troj/SalLoad-B, which goes on to load the Sality virus into memory. We’ve talked about this particularly nasty virus several times in the past, not least its unfortunate tendency to corrupt files during infection, so it’s a nuisance to see it aggressively seeding in this way.

Of course you can help stop Sality from making those long-distance phone calls – just make sure your Acrobat Reader and AntiVirus are up to date, and careful what attachments you open!

Image source: KirrilyRobert’s Flikr photostream (Creative Commons 2.0)