Financial scams distribute scareware and brute-force local accounts

Author: , posted: @ 11:10:36

Several different setups of financial scam e-mails are spreading scareware and brute-force attack malware. As common these days, hijacked web pages and outdated Java are involved.

The first example is entitled "Payroll Account Holded by Intuit", comes from e-mail address [email protected] and it really does misuse LinkedIn servers (not the first time!). The e-mail originated from (, went to, and dropped into my mailbox from ( Probably, some webmail service was involved.
Contents of the scam read:

Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Tue, 26 Feb 2013 10:50:32 -0500.

Finances would be gone away from below account # ending in 9209 on Tue, 26 Feb 2013 10:50:32 -0500
amount to be seceded: 2570 USD
Paychecks would be procrastinated to your personnel accounts on: Tue, 26 Feb 2013 10:50:32 -0500
Log In to Review Operation

Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Intuit Payroll Services

"Payroll Account Holded by Intuit" malware scam, e-mail example

As usual, the links do not lead to promised websites, but to an infected redirection page index-feed.htm at
Always check links before clicking them - just stop mouse pointer on a link and the destination URL appears on Status Bar or as a tooltip.

The second example is very different. It is entitled "Re: FW: End of Aug. Statement Required" and comes from forged e-mail address [email protected]. The e-mail was sent from IP-address to, then left via ( for and arrived to my server via IP-address
Contents of this one reads:

as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).


"Re: FW: End of Aug. Statement Required" malware scam, e-mail example

As you can see, there are no links involved. Instead, a HTM file is included as an attachment - its sole purpose is to redirect to a malicious web page.
Here, the attachment format, misspellings and the "(Microsoft Internet Explorer)" should make experienced users very cautious.

What follows in both cases, is pretty similar. A very common URL /forum/links/column.php used in many malware cases is opened at a hijacked web host on port 8080. In the first example, the host is; the second one is
The web pages try to execute malicious files on visitors' computers using security bugs in older versions of Java SE/Runtime Environment. That is why it is important to keep Java updated. Alternatively, you can disable Java in web browsers, or uninstall the software completely.
"Payroll Account Holded by Intuit" malware scam, infected web page example

If the infection attempt is successful, a brute-force local account attacking tool is dropped into Local Settings\Temp folder of currently logged on user. The file name is exp<random number>.tmp.exe, in these cases they were exp63.tmp.exe and exp9.tmp.exe. The tool then tries a whole bunch of common passwords on all available local accounts with the exception of the current user.
In case a proper Local Security Policy is set, all other accounts will be locked out temporarily. The myriad of brute-force login attempts can be seen in Security log of Event Viewer as events with ID-s 529, 539 and 680 in Windows XP, or event ID 4625 in Windows Vista and later.
"Payroll Account Holded by Intuit" malware scam, example security entries in Event Viewer. A part of the malware tries to brute-force local accounts.

Another piece of malware then tries to install scareware. The downloader is stored as KB<random 8-digit number>.exe in current user's Application Data or AppData folder. In these examples, the files were named KB00259840.exe and KB00116605.exe. To keep the downloader running properly, an entry is added to HKCU\Software\Microsoft\Windows\Run path of Registry - this starts the malware each time the user logs in to Windows.

Infected computers can be cleaned using either free anti-virus or free anti-malware programs. It is strongly recommended to keep an updated version of anti-virus program running in Microsoft Windows - this will prevent the malware from running in the first place. Also, check that common browser add-ons/plug-ins are up to date and keep installed software updated.

Return to Blog entries Stay up to date with RSS feed.


Latest entries