Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Threat Outbreak Alert

Threat Outbreak Alert: Fake Picture Delivery Email Messages on June 4, 2014

 
Threat Type:IntelliShield: Threat Outbreak Alert
IntelliShield ID:30864
Version:9
First Published:2013 September 18 18:37 GMT
Last Published:2014 June 05 12:52 GMT
Port: Not available
Urgency:Possible use
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:Cisco Security Intelligence Operations has detected significant activity on June 4, 2014.
 

Description
 
Cisco Security Intelligence Operations has detected significant activity related to spam email messages that claim to contain a photo message for the recipient. The text in the email message attempts to convince the recipient to open the attachment and view the photo. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.

Email messages that are related to this threat (RuleID2970_1KVR and RuleID2970KVR) may contain the following files:

image.photo_203794423.zip
image.photo_765894873.jpg.exe
picture.messageID06055440.zip
picture.messageID65932980.gif.exe
foto.image43974642.zip
foto.image76043765.jpg.exe
20131002_350544_.zip
20131002_200744_.jpeg.exe<
0949664462Img_Picture.zip
8400587498Img_Picture.jpeg.exe
IMG0122X_1782147_p.zip
IMG0009D_7849076_a.jpeg.exe
DSC0008301119.zip
DSC0098504885.jpeg.exe
Photo 05-02-2014 24 33 88.zip
Photo 05-02-2014 21 21 10.jpeg.exe

foto_03_juni_2014_Untitled_04.zip
foto_03_juni_2014_Untitled_05.jpg.exe
Bez-nazwy-150065_8.JPG.zip
Bez-nazwy-490100_1.JPG.exe

The image.photo_765894873.jpg.exe file in the image.photo_203794423.zip attachment has a file size of 159,232 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x33E2507110B70CB4076EEB3F408D5ACF

The picture.messageID65932980.gif.exe file in the picture.messageID06055440.zip attachment has a file size of 121,045 bytes. The MD5 checksum is the following string: 0x5D69A364FFA8D641237BAF4EC7BD641F

The foto.image76043765.jpg.exe file in the foto.image43974642.zip attachment has a file size of 234,496 bytes. The MD5 checksum is the following string: 0x522FF187B085C32DDD3082FFE87798E4

The 20131002_200744_.jpeg.exe file in the 20131002_350544_.zip attachment has a file size of 231,936 bytes. The MD5 checksum is the following string: 0x74DDEBCFC8B06AAD7D9F2B99127D648C

The 8400587498Img_Picture.jpeg.exe file in the 0949664462Img_Picture.zip attachment has a file size of 65,037 bytes. The MD5 checksum is the following string: 0x67355A28A8EA584D0A08F17BE10E251E

The IMG0009D_7849076_a.jpeg.exe file in the IMG0122X_1782147_p.zip attachment has a file size of 40,960 bytes. The MD5 checksum is the following string: 0xDF3EF2BD93925EDBF0CAC35B83BB8AD5

The DSC0098504885.jpeg.exe file in the DSC0008301119.zip attachment has a file size of 211,769 bytes. The MD5 checksum is the following string: 0x46E077F058F5A6EDDEE3C851F8E56838


The Photo 05-02-2014 21 21 10.jpeg.exe file in the Photo 05-02-2014 24 33 88.zip attachment has a file size of 94,208 bytes. The MD5 checksum is the following string: 0x4A39DC0E9C5D65267D2D9C64C0FE7F4C


The foto_03_juni_2014_Untitled_05.jpg.exe file in the foto_03_juni_2014_Untitled_04.zip attachment has a file size of 217,088 bytes. The MD5 checksum is the following string: 0x24D49563F6B9053DA4FCE6BCC1763363

The Bez-nazwy-490100_1.JPG.exe file in the Bez-nazwy-150065_8.JPG.zip attachment has a file size of 98,304 bytes. The MD5 checksum is the following string: 0x8508B1E9846B267F610F54D665F6F7A6


The following text is a sample of the email message that is associated with this threat outbreak:

Subject: Picture Messaging (MMS) message

Message Body:

Description: T
mobile phone number: 61488672905

Or

Subject: T-Mobile MMS message has arrived

Message Body:

Subject: T-Mobile MMS message has arrived

Or

Subject: FW: foto 92877714

Message Body:

Met vriendelijke groet,
Inge van der Maarel-Verbeek
medewerker services
NNS&I/ZS/Ops/Beheer Brand
T (+31) (0)70 513 09 29
F (+31) (0)70 513 06 30
E zcbacceptatie@nn.nl
E brandbedrijvenacceptatie@nn.nl
Nationale-Nederlanden
Locatie HP C.12.003
Prinses Beatrixlaan 35, 2595 AK Den Haag
Postbus 93604, 2509 AV Den Haag
www.nn.nl
Nationale-Nederlanden Nederland B.V. (statutair gevestigd te Den Haag), handelsregisternr. 33231790
Nationale-Nederlanden Levensverzekering Mij. N.V. (statutair gevestigd te Rotterdam), handelsregisternr. 24042211
Nationale-Nederlanden Schadeverzekering Mij. N.V. (statutair gevestigd te Den Haag), handelsregisternr. 27023707
Van: service@mms.vodafone.nl [mailto:service@mms.vodafone.nl]
Verzonden: dinsdag 24 september 2013 11:29
Aan: Verbeek, I. (Inge)
Onderwerp: foto 92877714
Description: myvodafonelogo
mobiele nummer: 340038754
wachtwoord: 5IX3UH
De informatie verzonden met dit emailbericht is vertrouwelijk en uitsluitend bestemd voor de geadresseerde. Indien u als niet-geadresseerde dit bericht ontvangt, wordt u verzocht direct de afzender hierover te informeren en het bericht te vernietigen. Bij voorbaat dank!

Or

Subject: Fwd:

Message Body:

––––––––––-
Sent from my iPhone

Or

Subject: foto 05-02-2014

Message Body:

Von meinem iPhone gesendet

Or

Subject: 1a564c07697de5d168f3236f7ac647f5

Message Body:

Wyslane z mojego iPhone przez Tapatalk

Cisco Security Intelligence Operations analysts examine real-world email traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global email security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.

Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Email that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam email and hostile web URLs from being passed to the end user.

Related Links
Cisco Security Intelligence Operations
Cisco SenderBase Security Network
 
Alert History
 

Version 8, February 6, 2014, 12:02 PM: Cisco Security Intelligence Operations has detected significant activity on February 5, 2014.

Version 7, November 13, 2013, 12:05 PM: Cisco Security Intelligence Operations has detected significant activity on November 12, 2013.

Version 6, October 16, 2013, 4:49 PM: Cisco Security Intelligence Operations has detected significant activity on October 16, 2013.

Version 5, October 9, 2013, 12:42 PM: Cisco Security Intelligence Operations has detected significant activity on October 8, 2013.

Version 4, October 2, 2013, 7:47 PM: Cisco Security Intelligence Operations has detected significant activity on October 1, 2013.

Version 3, September 24, 2013, 2:48 PM: Cisco Security Intelligence Operations has detected significant activity on September 24, 2013.

Version 2, September 19, 2013, 4:41 PM: Cisco Security Intelligence Operations has detected significant activity on September 19, 2013.

Version 1, September 18, 2013, 6:37 PM: Cisco Security Intelligence Operations has detected significant activity on September 17, 2013.


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldThreat Outbreak Alert Original Release Base

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield