Updated: changelog update e-mail leads to fake anti-virus

Author: , posted: @ 11:38:00

A round of malicious spam e-mails is flooding inboxes. The e-mails are titled 'Fwd: changelog UPD.', 'Re: Fwd: Changelog as promised (upd.)', 'RE: Antone - Copies of Policies.' or similar. As usual, the sender address is forged.

These particular examples came from IP-address, using a forged sender address [email protected]; from (, sender address [email protected]; and from, forged sender address [email protected]. Sender's domain will mostly match recepient's domain to avoid spam filters, but the LinkedIn server seems legit (some hacked account?).
Content example one:


changelog update - View


Content example two:

Good morning,

as promised changelog - View 

I. Draper

Content example three:

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.

Antone HARRELL, 

As usual, such short and strange e-mails should make users suspicious. Always verify the destination URL by stopping mouse pointer on a link.
Fwd: changelog UPD e-mail example Re: Fwd: Changelog as promised (upd.) e-mail example RE: Antone - Copies of Policies. e-mail example

The links point to some redirection page on (forwarding.htm or inform.htm) at http://www.offdebicz.sopot.pl and The pages contain a simple JavaScript that forwards to another web site that hosts malicious Java code.
Fwd: changelog UPD e-mail, redirection page at

The column.php page at in example one seems to be down by now, but it exploits a known Java vulnerability to trick victim's PC into downloading and installing ransomware (a fake anti-virus). Similar malicious page at is still up.
Fwd: changelog UPD e-mail, malicious page at

Here's a part of the malicious Java code:
Fwd: changelog UPD e-mail, malicious code at

The scareware runs automatically every time the current user logs in. The file itself is stored in the user's Application Data folder as KB00259840.exe (detected as W32/Cridex.E by Microsoft Security Essentials). Another file with random name will be added to Java deployment cache folder and System Restore folder. Both are detected as Win32/Tobfy.I by Microsoft Security Essentials.

That's why you should keep your programs updated. Free anti-virus programs are capable of detecting and removing the threat automatically; and Malwarebytes Anti-Malware Free is also able to remove the ransomware.

Return to Blog entries Stay up to date with RSS feed.


Latest entries