Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain personal photos. The text in the e-mail message attempts to convince the recipient to open an attachment to view the photos. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.
E-mail messages that are related to this threat (RuleID3961 and RuleID3961KVR) may contain any of the following files:
Photos.zip
IMG958.exe
IMG8493.exe
IMG839.exe
IMG04958.exe
Photo.zip
IMG02745.exe
IMG00687.exe
IMG94857.exe
IMG04762.exe
IMG9385.exe
IMG0457.exe
IMG0496.zip
IMG0496.exe
IMG0591.exe
EPS0948.exe
Photo.exe
IMG8495.exe
IMG0893.zip
IMG0893.exe
IMG9807.zip
IMG9807.exe
IMG9821.zip
IMG9821.exe
IMG7652.zip
IMG7652.exe
EPS00872.zip
EPS00872.exe
IMG9403.zip
IMG9403.exe
IMG9847.zip
IMG9847.exe
IMG0962.zip
IMG8927.exe
IMG0395.zip
IMG0395.exe
Photos.exe
IMG4898.exe
KVREPS0049.zip
EPS0049.exe
IMG93857.exe
EPS09678.zip
EPS09678.exe
IMG3619.exe
IMG93038.zip
IMG93038.exe
CAN03489.exe
EPS00364585.exe
sample.zip
ok1.exe
The IMG958.exe file in the Photos.zip attachment has a file size of 36,352 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xE64EE2AD5901EC4E49C44099BA5C9A54
The IMG8493.exe file in the Photos.zip attachment has a file size of 41,472 bytes. The MD5 checksum is the following string: 0x21521C77EEEF1197BA86E65204EFCA63
The IMG839.exe file in the Photos.zip attachment has a file size of 41,984 bytes. The MD5 checksum is the following string: 0x8A5DC48813D5B490785A6CC7A8C5FCF8
The IMG04958.exe file in the Photo.zip attachment has a file size of 36,352 bytes. The MD5 checksum is the following string: 0x21521C77EEEF1197BA86E65204EFCA63
The IMG02745.exe file in the Photo.zip attachment has a file size of 47,616 bytes. The MD5 checksum is the following string: 0x1F4A0E18C7B18A3C2799540F10E503AF
The IMG00687.exe file in the Photo.zip attachment has a file size of 32,256 bytes. The MD5 checksum is the following string: 0x0DF04BB66914BA6762F47E65B03D824C
The IMG94857.exe file in the Photo.zip attachment has a file size of 33,792 bytes. The MD5 checksum is the following string: 0x64944A12B74DC86CF0BD968BC33B56F0
The IMG04762.exe file in the Photo.zip attachment has a file size of 33,792 bytes. The MD5 checksum is the following string: 0xCB407F8A82E75AA9FB54A5685EC43FFD
The IMG9385.exe file in the Photo.zip attachment has a file size of 33,280 bytes. The MD5 checksum is the following string: 0x1D134D3108DD0B6DD7BC2BA47ABD678B
The IMG0457.exe file in the Photo.zip attachment has a file size of 31,232 bytes. The MD5 checksum is the following string: 0xFC66726B33E42A17EE8B9FF8EED88C69
The IMG0496.exe file in the IMG0496.zip attachment has a file size of 32,256 bytes. The MD5 checksum is the following string: 0x9C5D54D2998E60247DA04AD704DFB2F6
The IMG0591.exe file in the Photo.zip attachment has a file size of 32,256 bytes. The MD5 checksum is the following string: 0x0675FB4107BB1AE2696A882CB91AAA2E
The EPS0948.exe file in the Photo.zip attachment has a file size of 31,232 bytes. The MD5 checksum is the following string: 0x93735AEBB3E5960D7C8ACA3998C8C813
The Photo.exe file in the Photo.zip attachment has a file size of 34,304 bytes. The MD5 checksum is the following string: 0x3688B8E76FBFE9FD381BF3A65DDADA71
The IMG8495.exe file in the Photo.zip attachment has a file size of 33,792 bytes. The MD5 checksum is the following string: 0xCA8A110EF6967BEEBE521EE61FBDD43E
A variant of the Photo.exe file in the Photo.zip attachment has a file size of 34,304 bytes. The MD5 checksum is the following string: 0x1389C1983EA4EAA72A0BF87F506C9B45
The IMG0893.exe file in the IMG0893.zip attachment has a file size of 33,792 bytes. The MD5 checksum is the following string: 0x5B1E1534C828D398B0AE91820913911F
The IMG9807.exe file in the IMG9807.zip attachment has a file size of 31,232 bytes. The MD5 checksum is the following string: 0xE3A9EC00EDB2D8557F535D42FA7C8441
The IMG9821.exe file in the IMG9821.zip attachment has a file size of 46,592 bytes. The MD5 checksum is the following string: 0xC059816A9E77113092F7C6ADB2DEECEB
The IMG7652.exe file in the IMG7652.zip attachment has a file size of 48,128 bytes. The MD5 checksum is the following string: 0x45BC9AD077DEC8A5B682F02900F844AE
The EPS00872.exe file in the EPS00872.zip attachment has a file size of 51,200 bytes. The MD5 checksum is the following string: 0x5FE3EC48C6C232AC74D4C273F9306085
The IMG9403.exe file in the IMG9403.zip attachment has a file size of 50,688 bytes. The MD5 checksum is the following string: 0xAD1696DFDEDBEBA3437543718A3DDB3A
The IMG9847.exe file in the IMG9847.zip attachment has a file size of 58,880 bytes. The MD5 checksum is the following string: 0x347706FABA95F6D7FE64DF2F27BEF024
The IMG8927.exe file in the IMG0962.zip attachment has a file size of 51,200 bytes. The MD5 checksum is the following string: 0x75BCFADB754DE06C2207CAD5DAD0C003
The IMG0395.exe file in the IMG0395.zip attachment has a file size of 49,664 bytes. The MD5 checksum is the following string: 0xC2618A002853E9266A4A3A1F9E7CD957
A variant of the Photos.exe file in the Photos.zip attachment has a file size of 57,344 bytes. The MD5 checksum is the following string: 0x7484453DF392E9E577C17B504A415ACD
A variant of the Photo.exe file in the Photo.zip attachment has a file size of 65,024 bytes. The MD5 checksum is the following string: 0x8A115563822E7ECA1B83ABEC0D31416B
A third variant of the Photo.exe file in the Photo.zip attachment has a file size of 61,952 bytes. The MD5 checksum is the following string: 0x1988B57F1448DE5413EF3A75F7836231
A fourth variant of the Photo.exe file in the Photo.zip attachment has a file size of 63,488 bytes. The MD5 checksum is the following string: 0x971BE4892A3F3A4B4EB9818434749DB0
A fifth variant of the Photo.exe file in the Photo.zip attachment has a file size of 61,440 bytes. The MD5 checksum is the following string: 0x46E7B5C14BB15FA134F1DFD457F65C0E
The IMG4898.exe file in the Photo.zip attachment has a file size of 64,000 bytes. The MD5 checksum is the following string: 0xB4E77546C5A762987FAFE289E401AA57
The EPS0049.exe file in the KVREPS0049.zip attachment has a file size of 59,904 bytes. The MD5 checksum is the following string: 0x6A22F40B23012DD26274A8767CF61145
A variant of the IMG93857.exe file in the Photo.zip attachment has a file size of 58,368 bytes. The MD5 checksum is 0x84E886503FBFAA2E4A6F043CD672ECD9
The EPS09678.exe file in the EPS09678.zip attachment has a file size of 63,488 bytes. The MD5 checksum is the following string: 0xA6937CE5EE9A18CC4988E036F46811F9
The IMG3619.exe file in the Photo.zip attachment has a file size of 38,400 bytes. The MD5 checksum is the following string: 0x940024C714B1DC8F21FC2FA81F88FD2C
The IMG93038.exe file in the IMG93038.zip attachment has a file size of 47,104 bytes. The MD5 checksum is the following string: 0xE5B396C22BE1FA9AF176A61046757947
A third variant of the CAN03489.exe file in the Photo.zip attachment has a file size of 47,104 bytes. The MD5 checksum is the following string: 0xE2A8EFE717547076A019321AA16BC429
A fourth variant of the EPS00364585.exe file in the Photo.zip attachment has a file size of 49,152 bytes. The MD5 checksum is the following string: 0x79AEACE252D7CCADC47364573FE29769
The ok1.exe file in the sample.zip attachment has a file size of 750,592 bytes. The MD5 checksum is the following string: 0x9C3817BEEAB7852C83668264F5C5861E
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Subject: O boy you look so stupid here.
Message Body:
Hi de3cup@yahoo.com,
I got this photo from your ex-girlfriend. You're really ridiculous man!
Or
Subject: Got you by the balls man.
Message Body:
Cheers bradleyjreece@yahoo.com,
I'm sorry man you seem to be in trouble. My girfriend got this picture of you yesterday and sent to your wife. Hope you can handle it
Or
Subject: I got you busted man. Proof is attached.
Message Body:
Hey branniont@yahoo.com,
How would you explain that picture of yours, it attachment? I don't really know what to think of you now.
Or
Subject: This chick in this video looks like you. It's you?
Message Body:
Hey andy_roc_1230@yahoo.com,
This chick in this pornvideo in attachment looks a lot like your girfriend. Do you know that she did porn? Are you OK with it?.
Or
Subject: Looks like we didn't really know anything about her:)
Message Body:
Hi there sanjohnson@geico.com,
Check the attached video, someone on Facebook sent it to me. Is it really Rihanna?? Mind-blowing:)) She's really weird!.
Or
Subject: Hey what's with your Facebook profile?
Message Body:
Hey bobo_bossu_11@yahoo.com,
What's with your facebook??? Very strange stuff on your profile page, I made a screenshot, see attachment. Is is you or someone stole your account??.
Or
Subject: You HAVE to check this photo in attachment man.
Message Body:
Excuse me al@cesmail.net,
I got to show you this picture in attachment, I can't tell who gave it to me, sorry, but this chick looks a lot like your ex-gf. But who's that dude?? I have a question, have you seen this picture of yours, in attachment?? Three facebook friends sent it to me today... why did you put it online? wouldn't it harm your job? what if parents see it? you must be way cooler than I thought about you man :)))).
Cisco Security Intelligence Operations analysts examine real-world e-mail traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global e-mail security threats and trends. Cisco will continue to monitor this threat and automatically adapt IronPort systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.
Cisco IronPort Virus Outbreak Filters protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. E-mail that is managed by Cisco and end users who are protected by Cisco IronPort web security appliances will not be impacted by these attacks. Cisco IronPort appliances are automatically updated to prevent both spam e-mail and hostile web URLs from being passed to the end user.
Related Links
Cisco Security Intelligence Operations
Cisco Threat Operations Center
Cisco SenderBase Security Network
