Cisco Security Intelligence Operations has detected significant activity related to Italian-language spam e-mail messages that claim to contain an online profile query for the recipient. The text in the e-mail message instructs the recipient to follow a link to view the details. However, the link directs the user to a malicious .exe file that, when executed, attempts to infect the system with malicious code.
E-mail messages that are related to this threat (RuleID3689 and RuleID3689KVR) may contain the following files:
The Documento.Doc_____.exe file in the Documento.zip attachment has a file size of 179,256 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x8568EF657D13953D9BFD07E00F2E95F5
The Fattura.Doc_____.exe file in the Fattura.zip attachment has a file size of 190,184 bytes. The MD5 checksum is the following string: 0x1FBF6F5D3B8F113A2C9841F64709652D
The Fattura.Pdf_____.exe file in the Fattura.zip attachment has a file size of 313,856 bytes. The MD5 checksum is the following string: 0xF9715DF4A84C55791E2A6A4787AB0EA7
A variant of the Fattura.Pdf_____.exe file in the Fattura.zip attachment has a file size of 397,792 bytes. The MD5 checksum is the following string: 0xAB4B9EF07EFA8A066C4AA35753E52C92
A third variant of the Fattura.Pdf_____.exe file in the Fattura.zip attachment has a file size of 385,504 bytes. The MD5 checksum is the following string: 0xAF6049754D8A3C1764F5DA9237CB6165
The following text is a sample of the e-mail message that is associated with this threat outbreak:
La risposta alla tua domanda riguardo al profilo sul sito 20.09.2011.
Ci auguriamo di poter collaborare in futuro.
Tel./Fax.: +39 (39) 253 44 39
Subject: [MODIFIED FOR PROTECTION] CP Reported as Junk
Mi permetto di informarvi che il biglietto dovrebbe essere pagato per scrivere e a 2012/02/10 alle 17.00!
E possibile controllare lo stato attuale della vostra prenotazione in qualsiasi momento in linea hxxp://www.hmun.nl/Documento/Fattura.zip?InfoAccfirstname.lastname@example.org
ATTENZIONE! La data di pagamento e la data di trasferimento dei fondi a causa della nostra azienda.
WARNING: Your email security system has determined the message below may be a potential threat.
It may pose as a legitimate company, tricking victims into revealing personal information.
If you do not know the sender or cannot verify the integrity of the message, please do not respond or click on links in the message. Depending on the security settings, clickable URLs may have been modified to provide additional security.
Subject: Ordine N 5122509
La risposta alla vostra
domanda di un profilo
sul nostro sito web!
Ordina le statistiche puo essere vista qui
Cisco Security Intelligence Operations analysts examine real-world e-mail traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global e-mail security threats and trends. Cisco will continue to monitor this threat and automatically adapt IronPort systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.
Cisco IronPort Virus Outbreak Filters protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. E-mail that is managed by Cisco and end users who are protected by Cisco IronPort web security appliances will not be impacted by these attacks. Cisco IronPort appliances are automatically updated to prevent both spam e-mail and hostile web URLs from being passed to the end user.
Cisco Security Intelligence Operations
Cisco Threat Operations Center
Cisco SenderBase Security Network