Threat Outbreak Alert: Malicious Personal Photograph Attachment E-mail Messages on March 6, 2013
Threat Type:
IntelliShield: Threat Outbreak Alert
IntelliShield ID:
23715
Version:
15
First Published:
2011 July 22 15:37 GMT
Last Published:
2013 March 07 16:56 GMT
Port:
Not Available
Urgency:
Possible Use
Credibility:
Confirmed
Severity:
Harrassment
Version Summary:
Cisco Security Intelligence Operations has detected significant activity on March 6, 2013.
Description
Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain a personal photograph for the recipient. The text in the e-mail message attempts to convince the recipient to open the attachment and view the photograph. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.
E-mail messages that are related to this threat (RuleID3541 and RuleID3541KVR) may contain the following files:
The DC85296.exe file in the DC85296.zip has a file size of 214,016 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x77CF6FF7F548E68D13D14FBB2A0E8C5C
The DC03692.exe file in the DC03692.zip has a file size of 249,856 bytes. The MD5 checksum is the following string: 0x571660D3184C7AE03FE3292438567854
The DC59854.exe file in the DC59854.zip attachment has a file size of 229,888 bytes. The MD5 checksum is the following string: 0xDE18B2452E32A3079C98DE2F24119675
The DC2653.exe file in the DC2653.zip has a file size of 305,680 bytes. The MD5 checksum is the following string: 0xF761B35F79F94DD037958D6586C1DF85
The DC77162.exe file in the DC77162.zip has a file size of 455,544 bytes. The MD5 checksum is the following string: 0xAF2D6CBCF8D132A192CB8FCABA5458A9
The DC7992.exe file in the DC7992.zip has a file size of 313,160 bytes. The MD5 checksum is the following string: 0x8A71EE2D76C678B1DC9FA8D20CC14571
The DC74566.exe file in the DC74566.zip attachment has a file size of 300,872 bytes. The MD5 checksum is the following string: 0xF33C44FA6598A97C471DD92440E22B2C
The DC5451.exe file in the DC5451.zip has a file size of 304,968 bytes. The MD5 checksum is the following string: 0xFD6DEDFB1D021BDC7A3D14684DEFAB01
The DC4182.exe file in the DC4182.zip attachment has a file size of 261,640 bytes. The MD5 checksum is the following string: 0xF1D25BDB125F33B4475CDCCAA1CB5E77
The DC3471.exe file in the DC3471.zip attachment has a file size of 310,792 bytes. The MD5 checksum is the following string: 0xEB3C4C5B8A76CC2E4831285C60F55881
The dc78299.exe file in the dc78299.zip attachment has a file size of 319,640 bytes. The MD5 checksum is the following string: 0xB28F642F137CD1392764647379EBC57B
The DC4411.exe file in the DC4411.zip attachment has a file size of 211,544 bytes. The MD5 checksum is the following string: 0x630378E97CB2BDD826993BA5F01B1435
The dc716.exe file in the dc716.zip attachment has a file size of 322,128 bytes. The MD5 checksum is the following string: 0x4435C60364D2A5DCA41E91BAA2B7E03B
The dc182.exe file in the dc182.zip attachment has a file size of 463,360 bytes. The MD5 checksum is the following string: 0x929C2CD22E86C5FB779D14E0AA6356BE
The dc6565.exe file in the dc6565.zip attachment has a file size of 477,776 bytes. The MD5 checksum is the following string: 0x066EE569160463BAFCC3CE482417A24F
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Message Body:
WARNING!!! (from mailrelay31.libero.it)
The following message attachments were flagged by the antivirus scanner:
Attachment [2.2] DC85296.zip, scan failed: File encrypted. Action taken: incomplete scan
Hello Man,
I don't know how to say it, but I've tryed before a long time to send you some photos, but I've thought that you aren't interested to see me.
But now I'm going to send you the Photos in the Attachment.
Download the pictures and extract they, I'm sure that you will like they. The password is: 123456
Have a great day.
Or
Subject: FW: facebook
Message Body:
Hallo a.keizer@minlnv.nl
Ik weet niet hoe het te zeggen, maar ik heb tryed voor een lange tijd om u een aantal foto's, maar ik heb gedacht dat je niet ge?eresseerd bent om me te zien.
Maar nu ga ik het toesturen van de foto's in het aanhangsel.
Download de foto's en halen ze, ik ben er zeker van dat u ze leuk vinden. Het wachtwoord is: 123456
Heb een geweldige dag.
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u
niet de geadresseerde bent of dit bericht abusievelijk aan u is gezonden,
wordt u verzocht dat aan de afzender te melden en het bericht te
verwijderen.
De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard
ook, die verband houdt met risico's verbonden aan het elektronisch
verzenden van berichten.
This message may contain information that is not intended for you. If you
are not the addressee or if this message was sent to you by mistake, you
are requested to inform the sender and delete the message.
The State accepts no liability for damage of any kind resulting from the
risks inherent in the electronic transmission of messages.
Or
Subject: FW: facebook
Message Body:
Met vriendelijke groet,
L.R. Bruggers
Medewerker Gebiedsontwikkeling team Natuur
(mijn e-mailadres is gewijzigd naar l.r.bruggers@dlg.nl)
.......................................................................................
Dienst Landelijk Gebied regio Noord
Ministerie van Economische Zaken, Landbouw en Innovatie
Trompsingel 1 | 9724 CZ | Groningen
Postbus 30027 | 9700 RM | Groningen
.......................................................................................
T 06-52401193
F 050-3178585
l.r.bruggers@dlg.nl
http://www.dienstlandelijkgebied.nl
......................................................................
Dienst Landelijk Gebied werkt vandaag aan het landschap van morgen
..........................................................................
Afwezig op vrijdag
Or
Subject: facebook
Message Body:
Bonjour Man, cferro@geico.com
Je ne sais pas comment le dire, mais je n'ai tryed avant longtemps de vous envoyer quelques photos, mais j'ai pens?ue vous n'?s pas int?ss? me voir.
Mais maintenant, je vais vous envoyer les photos dans la pi? jointe.
T?chargez les photos et ils extraient, je suis sr que vous qu'ils aiment. Le mot de passe est: 123456
Passez une excellente journ?
Or
Subject: Hello Man
Message Body:
Hello Man,
I don't know how to say it, but I've tryed before a long time to send you some photos, but I've thought that you aren't interested to see me.
But now I'm going to send you the Photos in the Attachment.
Download the pictures and extract they, I'm sure that you will like they. The password is: 123456
Have a great day.
Or
Subject: hello
Message Body:
Hello Man,
I don't know how to say it, but I've tryed before a long time to send you some photos, but I've thought that you aren't interested to see me.
But now I'm going to send you the Photos in the Attachment.
Download the pictures and extract they, I'm sure that you will like they. The password is: 123456
Have a great day.
Cisco Security Intelligence Operations analysts examine real-world e-mail traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global e-mail security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.
Cisco users who are protected by Cisco web security appliances will not be impacted by these attacks. Cisco appliances are automatically updated to prevent both spam e-mail and hostile web URLs from being passed to the end user.
The security vulnerability applies to the following combinations of products.
Primary Products:
IntelliShield
Threat Outbreak Alert
Original Release Base
Associated Products:
N/A
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
