Hei Man: Scandinavian spam attack spreads Trojan horse

Filed Under: Facebook, Malware, Social networks, Spam

Sophos is intercepting a malicious spam attack, which attempts to infect recipient's computers with a Trojan horse by pretending to contain images of the Scandinavian sender.

Here is what a typical malicious email looks like:

Hei Man malicious email

Subject: Hei Man,
From: "Facebook"<info@hi5.com>
Attached file: Image123.zip

Message body:
Hei Man,

Jeg vet ikke hvordan jeg skal si det, men jeg har prшvde fшr en lang tid til е sende deg noen bilder, men jeg har tenkt at du ikke er interessert i е se meg.
Men nе skal jeg sende deg bilder i vedlegg.
Last ned bilder og trekke ut de, er jeg sikker pе at du vil like de. Passordet er: 123456

Ha en flott dag.

The message, which appears to be written in Norwegian, roughly translates to:

Hey Man,

I do not know how to say it, but I have tried for a long time to send you some pictures, but I've been thinking that you are not interested in seeing me.
But now I'll send you pictures in the attachment.
Download the images and extract them, I'm sure that you will like them. The password is: 123456

Have a great day.

The attached file, named Image123.zip, is encrypted - presumably in an attempt to avoid detection by weaker anti-virus products - but the email message contains the password to unlock the ZIP and reveal the malware to you.

Of course, an attack like this is only likely to trick users who speak Norwegian (or its close linguistic neighbour Danish), but you can imagine how a message claiming to come from a Facebook or Hi5 friend might trick some people into checking out what hides behind the ZIP without thinking.

Sophos detects the Trojan horse proactively as Mal/Behav-043 and is adding detection of the ZIP file as Troj/BredoZp-BU.

, , , , ,

You might like

5 Responses to Hei Man: Scandinavian spam attack spreads Trojan horse

  1. bbbbwebproductions · 1704 days ago

    It says Facebook and the email says hi5!

  2. Dave Harvey · 1702 days ago

    Never open attachments unless you were expecting a attachment in a Email, often its wise to double check ie to ask the sender.

    Viruses can be spread very easily via email etc in attachments etc.

    This article covers one example, there is 1000's of examples of nasties being this way,


  3. jrp · 1702 days ago

    Close, but no cigar. They are still struggling with the language barrier.
    I don't know if it's the e-mail client, but the Norwegian characters (øæå) have been converted to something else. So you got about 6 words in there that’s just rubbish.

    And the e-mail is definitively written using an automated translator. The content is awkwardly written at best, and some of it doesn’t make sense, or isn’t really something you can write or say, eg:

    “but I have tried for a long time” directly translates into “men jeg har prøvd for en lang tid”, and you can’t really say or write that in Norwegian at all.
    It also asks you to “pull the files out”, not extract or unpack (which makes no sense).

    I can only wish “them” better luck next time ;-)

  4. Torben · 1702 days ago

    And here's a fresh one from Sunday 13/2 in French, sent to a Scandinavian mailbox:

    Bonjour Man,

    Je ne sais pas comment le dire, mais j'ai tryed avant longtemps de vous envoyer quelques photos, mais j'ai pensé que vous n'êtes pas intéressé à me voir.
    Mais maintenant, je vais vous envoyer les photos dans la pièce jointe.
    Téléchargez les photos et extraits, je suis sûr que vous qu'ils aiment. Le mot de passe est: 123456

    Ayez un jour splendide.

  5. tommi vertainen · 1510 days ago

    I got the same message to the other, and the grammar was wrong. And because I do not have facebook, I opened the message. Fortunately. This topic has come to me 8/28/2011. Fortunately, the message discovers that it has made ​​to the translator. Text like this, so forgive the grammatical errors. Sincerely Tommi.V Finland

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley