Sophos is intercepting a malicious spam attack, which attempts to infect recipient’s computers with a Trojan horse by pretending to contain images of the Scandinavian sender.
Here is what a typical malicious email looks like:
Subject: Hei Man,
Attached file: Image123.zip
Jeg vet ikke hvordan jeg skal si det, men jeg har prшvde fшr en lang tid til е sende deg noen bilder, men jeg har tenkt at du ikke er interessert i е se meg.
Men nе skal jeg sende deg bilder i vedlegg.
Last ned bilder og trekke ut de, er jeg sikker pе at du vil like de. Passordet er: 123456
Ha en flott dag.
The message, which appears to be written in Norwegian, roughly translates to:
I do not know how to say it, but I have tried for a long time to send you some pictures, but I've been thinking that you are not interested in seeing me.
But now I'll send you pictures in the attachment.
Download the images and extract them, I'm sure that you will like them. The password is: 123456
Have a great day.
The attached file, named Image123.zip, is encrypted – presumably in an attempt to avoid detection by weaker anti-virus products – but the email message contains the password to unlock the ZIP and reveal the malware to you.
Of course, an attack like this is only likely to trick users who speak Norwegian (or its close linguistic neighbour Danish), but you can imagine how a message claiming to come from a Facebook or Hi5 friend might trick some people into checking out what hides behind the ZIP without thinking.
Sophos detects the Trojan horse proactively as Mal/Behav-043 and is adding detection of the ZIP file as Troj/BredoZp-BU.
5 comments on “Hei Man: Scandinavian spam attack spreads Trojan horse”
It says Facebook and the email says hi5!
Never open attachments unless you were expecting a attachment in a Email, often its wise to double check ie to ask the sender.
Viruses can be spread very easily via email etc in attachments etc.
This article covers one example, there is 1000's of examples of nasties being this way,
Close, but no cigar. They are still struggling with the language barrier.
I don't know if it's the e-mail client, but the Norwegian characters (øæå) have been converted to something else. So you got about 6 words in there that’s just rubbish.
And the e-mail is definitively written using an automated translator. The content is awkwardly written at best, and some of it doesn’t make sense, or isn’t really something you can write or say, eg:
“but I have tried for a long time” directly translates into “men jeg har prøvd for en lang tid”, and you can’t really say or write that in Norwegian at all.
It also asks you to “pull the files out”, not extract or unpack (which makes no sense).
I can only wish “them” better luck next time 😉
And here's a fresh one from Sunday 13/2 in French, sent to a Scandinavian mailbox:
Je ne sais pas comment le dire, mais j'ai tryed avant longtemps de vous envoyer quelques photos, mais j'ai pensé que vous n'êtes pas intéressé à me voir.
Mais maintenant, je vais vous envoyer les photos dans la pièce jointe.
Téléchargez les photos et extraits, je suis sûr que vous qu'ils aiment. Le mot de passe est: 123456
Ayez un jour splendide.
I got the same message to the other, and the grammar was wrong. And because I do not have facebook, I opened the message. Fortunately. This topic has come to me 8/28/2011. Fortunately, the message discovers that it has made to the translator. Text like this, so forgive the grammatical errors. Sincerely Tommi.V Finland