Dell Customer Care sent me an infected file… not

Got spam & looks like an infected message today.   It's a phishing email that targets Dell Customers.

The content of message is obviously phished message (BTW, the message header says it is from customercare@dell.com) :

Dear Customer,

Thank you for ordering from our internet shop. If you paid with a credit card, the charge on your statement will be from name of our shop.

This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.

Date : 08 Oct 2006 – 12:40
Order ID : 37679041

Payment by Credit card

Product : Quantity : Price
WJM-PSP – Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99

Subtotal : 2,449.99
Shipping : 32.88
TOTAL : 2,482.87

Your Order Summary located in the attachment file ( self-extracting archive with "37679041.pdf" file ).

PDF (Portable Document Format) files are created by Adobe Acrobat software and can be viewed with Adobe Acrobat Reader.
If you do not already have this viewer configured on a local drive, you may download it for free from Adobe's Web site.  

We will ship your order from the warehouse nearest to you that has your items in stock (NY, TN, UT & CA). We strive to ship all orders the same day, but please allow 24hrs for processing.

You will receive another email with tracking information soon.

We hope you enjoy your order!  Thank you for shopping with us!

The compressed file doesn't contain a PDF file but an exe file, named "37679041.exe".  Sent the file for online scan and only few antivirus detected infection in the said file.

Virustotal:

AntiVir 7.2.0.25 10.09.2006 HEUR/Crypted
Authentium 4.93.8 10.09.2006 no virus found
Avast 4.7.892.0 10.10.2006 no virus found
AVG 386 10.10.2006 no virus found
BitDefender 7.2 10.10.2006 no virus found
CAT-QuickHeal 8.00 10.07.2006 (Suspicious) – DNAScan
ClamAV devel-20060426 10.10.2006 no virus found
eTrust-InoculateIT 23.73.18 10.10.2006 no virus found
eTrust-Vet 30.3.3125 10.10.2006 no virus found
DrWeb 4.33 10.10.2006 no virus found
Ewido 4.0 10.10.2006 no virus found
Fortinet 2.82.0.0 10.10.2006 suspicious
F-Prot 3.16f 10.09.2006 no virus found
F-Prot4 4.2.1.29 10.09.2006 no virus found
Ikarus 0.2.65.0 10.10.2006 no virus found
Kaspersky 4.0.2.24 10.10.2006 no virus found
McAfee 4869 10.09.2006 no virus found
Microsoft 1.1603 10.10.2006 no virus found
NOD32v2 1.1796 10.10.2006 a variant of Win32/Haxdoor
Norman 5.80.02 10.10.2006 Suspicious_F.gen
Panda 9.0.0.4 10.09.2006 Suspicious file

Sophos 4.10.0 10.05.2006 no virus found
TheHacker 6.0.1.094 10.08.2006 no virus found
UNA 1.83 10.09.2006 no virus found
VBA32 3.11.1 10.09.2006 no virus found
VirusBuster 4.3.7:9 10.09.2006 no virus found

Jotti's Malware scan:

Scanner  Malware name
AntiVir  X
ArcaVir  X
Avast  X
AVG Antivirus  X
BitDefender  X
ClamAV  X
Dr.Web  X
F-Prot Antivirus  X
Fortinet  X
Kaspersky Anti-Virus  X
NOD32  X
Norman Virus Control  Text/BotFTP.gen
UNA  X
VirusBuster  X
VBA32  X

So guys – especially Dell Customers – don't execute or download such attachments.  I usually preview the emails from the server using Mailwasher Pro or ePrompter then I delete the bad emails from the server and simply download the good emails.  I didn't do this time because I'm in a testing mood.  If you aren't a tester, don't do it.

Update:  I submitted the said .exe file to Symantec.  The analysis of Symantec is: INFECTED and they named it as Backdoor.Haxdoor.R – http://www.symantec.com/security_response/writeup.jsp?docid=2006-101011-0842-99 

Discovered: October 10, 2006
Updated: October 10, 2006 03:04:03 PM GDT
Type: Trojan Horse
Infection Length: 55,436 bytes.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
If you are NAV users, you can download the rapid release at Symantec's FTP page (ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/symrapidreleasedefsi32.exe)  The said definitions contains all detections by Symantec including detection for the sample I sent to them today.  Detection will be available too via LiveUpdate Daily (today) and weekly liveupdate (tomorrow – Oct. 11)

Leave a Reply