Great information. Nice to read you blog. I wud like to come aging here.

Anti Spam Software
Windows Server Monitor
sachin | 04.04.08 - 2:51 am | #

Thanks for the write-up, Alex.

My company received one of these as well, in which the sender was the same and the come-on was the same. The attachment was also a zip file with an SCR attachment which had a PDF icon.

When I submitted it to VirusTotal, I noted that Sunbelt was one of the vendors who had already detected it. Here's the link:

http://www.virustotal.com/ analis...4fba992aec70ae7
Andrew from Vancouver | 04.04.08 - 12:02 pm | #

The PDF icon is kind of clever. Do they do this often?
me | 04.04.08 - 5:59 pm | #

The PDF icon is kind of clever. Do they do this often?

No, in the past it's been an embedded ole object in an rtf.
Alex eckelberry | 04.04.08 - 6:10 pm | #

It has been a tactic to use familiar icons in order to fool users into launching "bad" files...

I have a few baddies in my collection that are executable files that have the windows "folder" icon.... guess what people do when they get a file like this...they click it to look inside....but clicking doesn't open a folder, it unleashes the virus/keylogger onto their system!

WinXP doesn't do any favours with its folder option (ON by default) of "Hide extensions for known file types" which means the user may not even know it is an .exe file because windows convinienty turns "my folder.exe" into "my folder"!!
Baz | Homepage | 04.05.08 - 9:57 am | #