Contract_05_07_2010.zip – all you’ll contract is a malware infection

SophosLabs is seeing another widespread malicious spam attack being sent to email addresses around the world. The emails, which have a malware-infected attachment called Contract_05_07_2010.zip, pretend to be a legal contract – however, opening the contents of the file could infect your Windows computer.

Malicious contract email

A typical email reads:

Subject: Permit for retirement

Message body:

Good day,
We have prepared a contract and added the paragraphs that you wanted to see in it.
Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment.
We are enclosing the file with the prepared contract.
If necessary, we can send it by fax.
Looking forward to your decision.
"<name>

Attached file: Contract_05_07_2010.zip

Like the other malicious spam attack I blogged about today, each email is signed-off by the name contained in the email’s from: header, albeit with an errant ” prefixing it. One can only assume that the superfluous quotation mark was a programming boo-boo by the hackers.

Other subject lines used in the attack include:

Permit for retirement
Contract of settlements
Record in debit of account
Your new labour contract
Loan contract
Open an account
Rent contract

Subject lines used in the spammed-out malware campaign

It’s interesting to see the cybercriminals use the non-American spelling “Labour” rather than “Labor”, which may give some clues as to where they learnt the English language. Mind you, it could just as easily be a red herring as to the emails’ origin.

Sophos detects the ZIP file as Troj/Invo-Zip and the malware contained within as Troj/Bredo-DL Trojan horse.