Scan from a Xerox WorkCentre? Trojan attack spammed out widely

Filed Under: Malware, Spam

Xerox photocopierEmails claiming to come from a Xerox WorkCentre Pro photocopier have been spammed widely across the internet, containing a malicious file as an attachment.

Modern photocopiers don't just copy your confidential documents, or see the downside of inebriated staff antics at the office party, they can also email you your documents these days.

Which makes them a possibly all-too-convincing disguise for today's spammed-out malware campaign.

Although the precise wording varies from email to email, they all claim to be a scan (or sometimes a forwarded scan) from a Xerox WorkStation Pro.

Scan from a Xerox WorkCentre Pro


Scan from a Xerox WorkCentre Pro #[number]

Message body:

Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set
Device Name: [random]

The names of attached files can vary but are along the lines of and

Sophos products have been intercepting the emails as spam, and will be detecting the attached file as the Troj/Dload-ID Trojan horse.

As always, be very careful opening unsolicited attachments - even if you do think at first that they could have been sent to you by one of the photocopiers in your office building.

This attack has been spammed out very aggressively - and it seems certain that some computer users may have fallen victim to it.

, , , ,

You might like

7 Responses to Scan from a Xerox WorkCentre? Trojan attack spammed out widely

  1. King Fred II · 1506 days ago

    If I get an attachment that I don't fully trust, I restart my computer in Linux and open it with that. No danger then :-)

  2. Larry Kovnat · 1506 days ago

    Thanks for bringing spreading the word about these suspicious looking e-mails; this is something we’ve been advising customers on for more than a year now. As you mention, the e-mail mimics a scan-to-e-mail file from a Xerox WorkCentre Pro. It’s important that customers be suspicious of all scan-to-e-mail files that they were not expecting to receive and to pay attention to the “From” field of these e-mails. The spam e-mail may fill in the “From” field with a user name to make the e-mail look safe, as opposed to a machine name (i.e. I advise all users to only open email attachments that are sent from a reliable, identifiable source. I encourage your readers to check for ongoing tips and advice.
    Larry Kovnat, Sr. Manager, Product Security

  3. Guest_IT-Pro · 1506 days ago

    A word to the wise on this one. The Work Center copiers can be set to send either a PDF or a TIFF image and not a ZIP file. OCR is not built-in to these copiers so sending a DOC file would not be available from these devices. This should be a knoen fact for the article above. As always be careful with any attachement.

    • sophisticat · 1505 days ago

      Ours can send JPG as well. Our office policy is to scan the document to your own pc and then mail it onto clients from there then at least the client knows who they're receiving from.

      • Rod · 1501 days ago

        The fundamental fact is that the WorkCentre product line can only scan files to .PDF, ,TIF and .JPG formats. Self-executable files are the sort to carry infections of which all the above have spoken. Also realize, these devices include the technology for the user to identify themselves as the sender. While this was designed to enable the person receiving the scanned document to use the function of their emails "Reply" button to contact the sender, it also affords a bit of confidence that you know the sender. This is the sort of security and user-friendly features built into the Xerox MFP product line (as standard equipment), unlike anyone else's product. Ask any Xerox AOS for the details.

  4. Kevin · 1035 days ago

    I try to report all phishing attempts to the claimed originator who usually seem to appreciate so. I hope the information will permit action to stop. Does anyone know relevant email address for Zerox?


  5. JAS · 568 days ago

    I received this email and it was sent to the email address that was created only for So, how would this email address have landed in the hands of the people responsible for this scam? Security issue or is Logmein sharing our email addresses?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley