Trend Micro threat analysts found spammed messages that pretend to be a letter coming from the “boss”. It bears the subject “get back to my office for more details” and instructs users to read the attached ZIP file, which contains a letter. The ZIP attachment is, of course, not a letter but an .EXE file (info.exe) detected by Trend Micro as TROJ_CUTWAIL.GT.
 |
 |
Upon execution, TROJ_CUTWAIL.GT creates registry entries to automatically execute at every system startup. It also drops a Trojan dropper detected as TROJ_DROPR.ST. Cutwail is known as the ’spam engine’ of the notorious botnet, PUSHDO, which spammed around 7.7 billion spam a day last Q2.
For the past few days or so, Trend Micro has reported about various spam that used malicious attachments (ZIP or RAR) to hide the malware. This suggests that old tactics never die and continue to be an effective way of infecting users. We blogged about it in the following posts:
- Spoofed Contract Carries Malware
- Fake Facebook Password Notification Leads to Malware
- FAKEAV Uses Conficker Worm as Bait
Users are advised to be wary in opening any attached file even if it comes from a person with authority or ‘boss’. Trend Micro users are protected via its Trend Micro Smart Protection Network that detects TROJ_CUTWAIL.GT and blocks the spammed email message. Non-Trend Micro products users can use free tools like HouseCall to stay secure from this attack.
Post from: TrendLabs | Malware Blog - by Trend Micro
Malware Conceals Itself as Boss’s Letter
