2012-11-30 @ 11:38:00
A round of malicious spam e-mails is flooding inboxes. The e-mails are titled "Fwd: changelog UPD.", "Re: Fwd: Changelog as promised (upd.)", "RE: Antone - Copies of Policies." or similar. As usual, the sender address is forged.
These particular examples came from IP-address 184.108.40.206, using a forged sender address [email protected]; from maile-ea.linkedin.com (220.127.116.11), sender address [email protected]; and from 18.104.22.168, forged sender address [email protected]. Sender's domain will mostly match recepient's domain to avoid spam filters, but the LinkedIn server seems legit (some hacked account?).
Content example one:
changelog update - View
Content example two:
as promised changelog - View
Content example three:
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
As usual, such short and strange e-mails should make users suspicious. Always verify the destination URL by stopping mouse pointer on a link.
The column.php page at http://dimarikanko.ru:8080/forum/links/ in example one seems to be down by now, but it exploits a known Java vulnerability to trick victim's PC into downloading and installing ransomware (a fake anti-virus). Similar malicious page at http://podarunoki.ru:8080/forum/links/ is still up.
Here's a part of the malicious Java code:
The scareware runs automatically every time the current user logs in. The file itself is stored in the user's Application Data folder as KB00259840.exe (detected as W32/Cridex.E by Microsoft Security Essentials). Another file with random name will be added to Java deployment cache folder and System Restore folder. Both are detected as Win32/Tobfy.I by Microsoft Security Essentials.
That's why you should keep your programs updated. Free anti-virus programs are capable of detecting and removing the threat automatically; and Malwarebytes Anti-Malware Free is also able to remove the ransomware.