Threat Outbreak Alert: Fake Scanned Document E-mail Messages on March 13, 2013
Threat Type:
IntelliShield: Threat Outbreak Alert
IntelliShield ID:
21429
Version:
36
First Published:
2010 September 30 15:29 GMT
Last Published:
2013 March 14 18:21 GMT
Port:
Not Available
Urgency:
Possible Use
Credibility:
Confirmed
Severity:
Mild Damage
Version Summary:
Cisco Security Intelligence Operations has detected significant activity on March 13, 2013.
Description
Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain a scanned document. The text in the e-mail message instructs the recipient to open a .zip attachment to view the document. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.
E-mail messages that are related to this threat (RuleID3005, RuleID3147, RuleID2970KVR, RuleID2970KVR_1, RuleID2970_2KVR, RuleID4217, RuleID4311, and RuleID2970KVR_3) may contain any of the following files:
The Xerox_Scan_N0032-42344250.doc.exe file has a file size of 65,536 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x22B2CF601D83F7E92F46A4D68C880FB5
The Scanned_Document.doc.exe file has a file size of 41,472 bytes. The MD5 checksum is the following string: 0x0D1448F3F8990272E4D558A3CA6C1CC3
The Scanned_Document.DOC.exe file has a file size of 43,008 bytes. The MD5 checksum is the following string: 0xEB7753949819409A8B13D650FC473B53
The Firma_Info_1110.Pdf____.exe file has a file size of 147,456 bytes. The MD5 checksum is the following string: 0xDAF9245C1BE609A72B0E5BF15AC75595
The Doc16.12.2010Scanned.DOC_____.exe file has a file size of 151,040 bytes. The MD5 checksum is the following string: 0x651EA5E4161178D3DD75D3F77176AA3C
The Empressa.Pdf_____.exe file in the Empressa.zip attachment has a file size of 155,136 bytes. The MD5 checksum is the following string: 0x1C14C9425D4F7E4A8EBB65DBB9F37FA6
The Fotodc002.Jpg _____.exe file in the Fotodc002.zip attachment has a file size of 129,536 bytes. The MD5 checksum is the following string: 0x3E2E86ECED0FCB0E6AB618BB5447988C
The Foto.Jpg_____.exe file in the Foto.zip attachment has a file size of 182,784 bytes. The MD5 checksum is the following string: 0x70D455EF2A7CA65486E96D7A33A33AD3
The Changelog_29.03.2011____.DOC____.exe file in the Changelog_29.03.2011.zip attachment has a file size of 23,552 bytes. The MD5 checksum is the following string: 0xAADD19F30F37EB44A101C8AD20956F36
The EX-38463.pdf.exe file in the EX-38463.pdf.zip attachment has a file size of 14,848 bytes. The MD5 checksum is the following string: 0x5085794E6C283EBCFA3878805B9E7BE7
The DSC_903_06_2011_.JPG.scr file in the FTOSDOCEL.zip attachment has a file size of 181,030 bytes. The MD5 checksum is the following string: 0xD2C3C3393E74E0E9950B3D953B07F152
The DSC_902_06_2011_.JPG.scr file in the FTOSDOCEL.zip attachment has a file size of 113,446 bytes. The MD5 checksum is the following string: 0xC17F2567086C9FD241F44648E62FBAC8
The DSC_901_06_2011_.JPG.scr file in the FTOSDOCEL.zip attachment has a file size of 113,446 bytes. The MD5 checksum is the following string: 0x0BA5D64159CC8195667310E1899D3E91
The tipos-de-xana.pps.exe file in the tipos-de-xana.pps.zip attachment has a file size of 409,424 bytes. The MD5 checksum is the following string: 0xDA14C6DCBBB157D489C15882EF060681
The Tipos_De_Xana.pps.exe file in the Tipos_De_Xana.pps.zip attachment has a file size of 334,672 bytes. The MD5 checksum is the following string: 0x8E8F5115BD08C93D44B432FF6E38C77F
The invoce_NR71895776627118773.doc_____.exe file in the gRr472410.zip attachment has a file size of 55,296 bytes. The MD5 checksum is the following string: 0x9D1D693CFC835882CC52370BF73EC0DB
The report_082011-65.pdf.exe file in the report_082011-65.pdf.zip attachment has an approximate file size of 1,862,656 bytes. The MD5 checksum is unknown.
The HP_Officejet_Z893-994_SCAN.doc.exe file in the HP_Document_09.13_eZ8198.zip attachment has an approximate file size of 42,332 bytes. The MD5 checksum is the following string: 0x841CDC8BFA5002722F8120CB08A9A986
The report_092011-78.pdf.exe file in the report_092011-78.pdf.zip attachment has an approximate file size of 36,864 bytes. The MD5 checksum is the following string: 0x4E1B90B683AFBA01089F87AB302BCFF9
The HP_Officejet_Z8093-994_SCAN.doc.exe file in the HP_Scan_09.13_XZ4095.zip attachment has an approximate file size of 39,997 bytes.
The Flatologia.pps.exe file in the Flatologia.pps.zip attachment has a file size of 176,115 bytes. The MD5 checksum is the following string: 0xF3BC3E9CCB19060A0141946C0827E42B
The Business Meeting notes Jan 2012.pdf.exe file in the Business_Meeting_Notes_January-2012_O415.zip attachment has a file size of 199,680 bytes. The MD5 checksum is the following string: 0x0A6EBEE8EA9D94C05BCEDAEE37AE990C
The report.pdf.exe file has a file size of 195,072 bytes. The MD5 checksum is the following string: 0x5B9CDA82CF2CB14B9FE991248F97213B
The Tipos_De_Peido.pps.exe file in the Tipos_De_Peido.pps.zip attachment has a file size of 303,604 bytes. The MD5 checksum is the following string: 0x9C5C7662964EB0AF9476BE6D03FBE3DD
The dieta do seo.html.exe file in the dieta do seo.html.zip attachment has a file size of 438,916 bytes. The MD5 checksum is the following string: 0x2145952EC1A75542B2F176530A6D869C
The Fire Safety Guidance.pdf.exe file in the Fire Safety Guidance.pdf.zip attachment has a file size of 28,672 bytes. The MD5 checksum is the following string: 0x762050CA0351195D7665700EDEF505E2
A variant of the Fire Safety Guidance.pdf.exe file in the Fire Safety Guidance.pdf.zip attachment has a file size of 29,184 bytes. The MD5 checksum is the following string: 0xC3B3D6BFEA1205108954863206C34440
A third variant of the Fire Safety Guidance.pdf.exe file in the Fire Safety Guidance.pdf.zip attachment has a file size of 28,672 bytes. The MD5 checksum is the following string: 0x76D1E2A4FBC47EDE2996895398F58CF7
A fourth variant of the Fire Safety Guidance.pdf.exe file in the Fire Safety Guidance.pdf.zip attachment has a file size of 28,160 bytes. The MD5 checksum is the following string: 0xC786163F2612D6D95625D44513BF803B
The HP_Doc_06.04-96701.htm file size is unknown. The MD5 checksum is the following string: 02ce72bfbefe5ba8866d4e87bb9435fd
The Hewlett-Packard_NetJet_XP888354-SCAN.exe file in the Scan.zip attachment has a file size of 92,160 bytes. The MD5 checksum is the following string: 0x5D6EFB51B9C0F5D3E4073B6BD5A717AD
The RapidFAX_id_000032487263443568072038473204757304170475909 63982374102837504356891735-4635032459875086814-56389562349.pdf.exe file in the rapidfax-6CDA0992C3.zip attachment has a file size of 116,224 bytes. The MD5 checksum is the following string: 0x945D8899698AA4113CAF56AF9C510A5E
The Contract39872.pdf.exe file in the Contract39872.zip attachment has a file size of 115,712 bytes. The MD5 checksum is the following string: 0xB47A855962DE2C00B1B517A72799195F
The Contract09832.pdf.exe file in the Contract09832.zip attachment has a file size of 115,712 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x45199CF1DD12B02B10B8D1A574D5AE2A
The RapidFAX.pdf.exe file in the rapidfax-8683028719.zip attachment has an approximate file size of 104,673 bytes. The MD5 checksum is not available.
The RapidFAX_MCID.pdf.exe file in the rapidfax-E8800549C2.zip attachment has a file size of 117,248 bytes. The MD5 checksum is the following string: 0xF15563DAF174CB636A8BE50DEA8B3B
The Changes 2013.pdf.exe file in the Changes 2013.zip attachment has a file size of 147,456 bytes. The MD5 checksum is the following string: 0xD22F8CD72E0608DE24711F3AC5497997
The Employment 2013.pdf.exe file in the Employment 2013.zip attachment has a file size of 147,456 bytes. The MD5 checksum is the following string: 0x7523C051170DC4AA8064D84E312FB5ED
The EmploymentChanges.pdf.exe file in the EmploymentChanges.zip attachment has a file size of 116,736 bytes. The MD5 checksum is the following string: 0xFEF81AEBD7B7B6F8858EDCB07AA89276
The 12-07-2012-02.PDF.exe file in the 12-07-2012-02.zip attachment has a file size of 135,168 bytes. The MD5 checksum is the following string: 0x731DBDDE9AAE996FA783942B12847FB1
The eFax.inbound.pdf.exe file in the FAX_20122212_1331130437_0.PDF.zip attachment has a file size of 111,104 bytes. The MD5 checksum is the following string: 0x66924E60B090B0B1B990DCDC03D921CE
A variant of eFax.inbound.pdf.exe file in the FAX_20122412_5457726331_8.zip attachment has a file size of 111,104 bytes. The MD5 checksum is the following string: 0x503A5EBF1A2F3A57384DF48D18CD16C1
The BlackBerryID instructions.pdf.exe file size in the BlackBerryID instructions.zip attachment is unavailable. The MD5 checksum is the following string: 0x7aae153d8ad471396f08185cafa21455
The Xerox658940436722.pdf.exe file in the Xerox0598331966.zip attachment has a file size of 58,215 bytes. The MD5 checksum is the following string: 0x54569BDF48B6ABD2E19B79B27DBF5E63
The Contract_AllenkINC.doc.exe file in the Contract_A0914.zip attachment has a file size of 106,496 bytes. The MD5 checksum is the following string: 0x0BB43A92A9AB85C68E42FAE201EF5267
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Subject: Scan from a Xerox WorkCentre P5014497
Message Body:
Good afternoon,
Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]
WorkCentre Pro Location: machine location not set Device Name: XRX2090AA7ACDB45466972.
Or
Subject: Re: Empresa Consulta.
Message Body:
Buenos dias.
La respuesta a su conuslta de un perfil en nuestra paigna web al 17.02.2011.
Estadisticas incluidas en el archivo, sera un plcaer colaborar en el futuro.
ID: RFUYZaBFL
--=20
Best regards,
Empresa Consulta INC.
Or
Subject: The ACH transaction (ID:39410329 ) was canceled
Message Body:
ACH Payment Canceled
The ACH transaction (ID:39410329 ),
recently initiated from your checking account (by you or any other person),
was canceled by the other financial institution.
Rejected transaction
Transaction ID: 39410329
Reason for rejection: See details in the attachment
Transaction Report: report_092011-78.pdf.exe (self-extracting archive, Adobe PDF)
13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703)561-1100 2011 NACHA - The Electronic Payment Association
Or
Subject: dieta do seo, ja conhecia essa?
Message Body:
seo e bom, perder peso tambem, os dois juntos e maravilhoso
Or
Subject: Fw: Materials for a scheduled Public Safety event [Fraud?]
Message Body:
Dear Colleagues
It might be useful for you to know that we are taking part in a joint event
with Fire and Counter Terrorism Safety including three written tests on
Wednesday.
Last year three in ten employees surveyed could not pass the Fire Safety
test.
Each of you will find enclosed a Fire Instruction Notices and your role
description. Please study the enclosed materials before April, 18.
Kind regards,
Jamar Reister
Department of Human Resources
Or
Subject: FW:Enclosed Tutoring Materials
Message Body:
Dear Associates
It might be useful for you to know that we are having a joint event with Fire and Counter
Terroirsm Safety inlcuding four written tests on Tuesday.
Last month two in ten emplyoees surevyed could not pass the Fire Safety test.
Each of you will find enclosed a Fire Safety Policy
and your role descrpition. Please study the enclosed materials before April.
Or
Subject: Scan from a Hewlett-Packard ScanJet #621954
Message Body:
Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 4430P.
Sent by: CLARENCE
Images : 9
Attachment Type: .HTM [INTERNET EXPLORER]
Hewlett-Packard Officejet Location: machine location not set
Device: ODS899LA5DS9286177
DocuSign Logo
Please review & sign your document
Sent on behalf of DocuSign Customer Service at DocuSign, Inc.
All parties have completed the envelope 'Please DocuSign this document:
Contract08252.pdf'.
To view or print the document download the attachment .
(self-extracting archive, Adobe PDF)
LEARN MORE: New Features | Tips & Tricks | Video Tutorials
DocuSign. The fastest way to get a signature.
If you have questions regarding this notification or any enclosed documents
requiring your signature, please contact the sender directly. For technical
assistance with the signing process, you can email support.
This message was sent to you by Yvonne McFadden who is using the DocuSign
Electronic Signature Service. If you would rather not receive email from
this sender you may contact the sender with your request.
Or
Subject: Please review & sign your document
Message Body:
DocuSign Logo
Please review & sign your document
Sent on behalf of DocuSign Customer Service at DocuSign, Inc.
All parties have completed the envelope 'Please DocuSign this document: Contract59479.pdf'.
To view or print the document download the attachment .
(self-extracting archive, Adobe PDF)
LEARN MORE: New Features | Tips & Tricks | Video Tutorials
DocuSign. The fastest way to get a signature.
If you have questions regarding this notification or any enclosed documents requiring your signature, please contact the sender directly. For technical assistance with the signing process, you can email support.
This message was sent to you by Yvonne McFadden who is using the DocuSign Electronic Signature Service. If you would rather not receive email from this sender you may contact the sender with your request.
Or
Subject: Confidential - to ALL Employees
Message Body:
DocuSign Logo
Your document has been completed
Sent on behalf of administrator@ankauf.freihaendler.de.
All parties have completed the envelope 'Please DocuSign this document: Important Changes 2013.pdf'.
To view or print the document download the attachment .
(self-extracting archive, Adobe PDF)
This document contains information confidential and proprietary to ankauf.freihaendler.de
LEARN MORE: New Features | Tips & Tricks | Video Tutorials
DocuSign. The fastest way to get a signature.
If you have questions regarding this notification or any enclosed documents requiring your signature, please contact the sender directly. For technical assistance with the signing process, you can email support.
This message was sent to you by administrator@ankauf.freihaendler.de who is using the DocuSign Electronic Signature Service. If you would rather not receive email from this sender you may contact the sender with your request.
Or
Subject: Confidential - to ALL Employees
Message Body:
DocuSign Logo
Your document has been completed
Sent on behalf of administrator@preci-spark.uk.com.
All parties have completed the envelope 'Please DocuSign this document: Employment 2013.pdf'.
To view or print the document download the attachment .
(self-extracting archive, Adobe PDF)
This document contains information confidential and proprietary to preci-spark.uk.com
LEARN MORE: New Features | Tips & Tricks | Video Tutorials
DocuSign. The fastest way to get a signature..
If you have questions regarding this notification or any enclosed documents requiring your signature, please contact the sender directly. For technical assistance with the signing process, you can email support.
This message was sent to you by administrator@preci-spark.uk.com who is using the DocuSign Electronic Signature Service. If you would rather not receive email from this sender you may contact the sender with your request.
Or
Subject: Confidential - to ALL Employees
Message Body:
DocuSign Logo
Your document has been completed
Sent on behalf of administrator@miffcrffodf.com.
All parties have completed the envelope 'Please DocuSign this document:
Employment Changes 2013.pdf'.
To view or print the document download the attachment .
(self-extracting archive, Adobe PDF)
This document contains information confidential and proprietary to
miffcrffodf.com
LEARN MORE: New Features | Tips & Tricks | Video Tutorials
Or
Subject: Scan from a Xerox WorkCentre
Message Body:
Hello,
Please download the document. It was scanned and sent to you using a Xerox multifunction device.
Sent by: "Kareem Milton"
Number of attachments: 1 Attachment
File Type: pdf
Multifunction device Location: Machine location not set
Device Name: Xerox0869
For more information on Xerox products and solutions, please visit http://www.xerox.com
Or
Subject: Your BlackBerry ID has been created
Message Body:
Your BlackBerry ID has been created
Hello,
You've created a BlackBerry ID!
To enjoy the full benefits of your BlackBerry ID, please follow the instructions in the attached file
BlackBerry ID is your universal BlackBerry key. Here's what it offers:
One sign in for all BlackBerry applications, services, and websites.
Automatic transfer of some email accounts and services when you switch smartphones.
Full access to all features in BlackBerry App World™ storefront.
Protection of financial transactions using BlackBerry services.
You can learn more about BlackBerry ID by visiting https://blackberryid.blackberry.com/
The BlackBerry Team
This email has been automatically generated. Please do not reply to this email.
If you have not previously indicated that you wish to receive emails from Research In Motion Limited and/or its affiliated companies regarding exclusive offers and updates about BlackBerry products and services and you would like to do so, please click here.
Research In Motion Limited, 295 Phillip St., Waterloo, Ontario, Canada, N2L 3W8
2012 Research In Motion Limited. All rights reserved. BlackBerry, RIM, Research In Motion and related trademarks, names and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around the world.
The malware associated with this threat outbreak belongs to the Trojan.Sasfis family. This trojan could modify the system registry and download and install additional malware on the system by communicating with arbitrary hosts on the Internet.
Cisco Security Intelligence Operations analysts examine real-world e-mail traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global e-mail security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.
Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. E-mail that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam e-mail and hostile web URLs from being passed to the end user.
The security vulnerability applies to the following combinations of products.
Primary Products:
IntelliShield
Threat Outbreak Alert
Original Release Base
Associated Products:
N/A
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
