Beware Changelog spammed-out malware attack

Filed Under: Featured, Malware, Spam

Internet users are receiving emails claiming to contain a changelog - but the files attached are really designed to infect computers.

Here's what a typical email looks like, although the precise wording can vary.

Malware attack

Subject: Re: Your Changelog

Message body:
Good day,
as promised chnglog attached (Open with Internet Explorer)

The subject lines and attachment names can also be different from email to email - here's a small selection.

Malware attack

What's important is that you don't click on the attached .HTM file.

If you do, your browser will try to run the malicious script contained within.

Malware attack

You will see a message saying:

You are redirecting
Loading... Wait please...

But there's more to this file than meets the naked eye. If you examine the file's code you can see the script it is running in the background:

Malware attack

Sophos detects the malicious attachment as Mal/Iframe-W and further malware it attempts to execute via third party websites as Troj/PDFEx-ET and Mal/ExpJS-AA.

Mal/Iframe-W is no stranger to us at SophosLabs, for months we have encountered it regularly on compromised websites,. This latest attack, however, appears to be evidence that the same scripts are also being used in spam redirects.

Remember to keep your anti-virus protection up-to-date and your wits about you. Unsolicited emails inviting you to open an unknown attachment are commonly used by internet criminals to trick you into running malicious code on your computer.


You might like

2 Responses to Beware Changelog spammed-out malware attack

  1. guest · 1324 days ago

    I really would have liked to see more detail on this article as I would have then posted it for my fellow workers on our intranet sites to read and to warn them of this. I am a Security Analyst at work and try to keep up on all the latest malicious attacks and I found this article to be lacking on information about the attack.

    • What extra information would have been useful for your fellow workers to help them protect against the attack?

      The subject lines / attached filenames / message bodies do vary, so it's not practical for us to list them all. But hopefully we've given you a flavour of what to look out for.

      But most importantly, up-to-date installations of Sophos's anti-malware and anti-spam solutions intercept and protect against the attack. The risk is going to be mainly for users who receive these, are duped by the social engineering into clicking, and who are not running a security product which can identify the threat.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley