Got spam & looks like an infected message today. It's a phishing email that targets Dell Customers.
The content of message is obviously phished message (BTW, the message header says it is from email@example.com) :
Thank you for ordering from our internet shop. If you paid with a credit card, the charge on your statement will be from name of our shop.
This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.
Date : 08 Oct 2006 – 12:40
Order ID : 37679041
Payment by Credit card
Product : Quantity : Price
WJM-PSP – Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99
Subtotal : 2,449.99
Shipping : 32.88
TOTAL : 2,482.87
Your Order Summary located in the attachment file ( self-extracting archive with "37679041.pdf" file ).
PDF (Portable Document Format) files are created by Adobe Acrobat software and can be viewed with Adobe Acrobat Reader.
If you do not already have this viewer configured on a local drive, you may download it for free from Adobe's Web site.
We will ship your order from the warehouse nearest to you that has your items in stock (NY, TN, UT & CA). We strive to ship all orders the same day, but please allow 24hrs for processing.
You will receive another email with tracking information soon.
We hope you enjoy your order! Thank you for shopping with us!
The compressed file doesn't contain a PDF file but an exe file, named "37679041.exe". Sent the file for online scan and only few antivirus detected infection in the said file.
AntiVir 18.104.22.168 10.09.2006 HEUR/Crypted
Authentium 4.93.8 10.09.2006 no virus found
Avast 4.7.892.0 10.10.2006 no virus found
AVG 386 10.10.2006 no virus found
BitDefender 7.2 10.10.2006 no virus found
CAT-QuickHeal 8.00 10.07.2006 (Suspicious) – DNAScan
ClamAV devel-20060426 10.10.2006 no virus found
eTrust-InoculateIT 23.73.18 10.10.2006 no virus found
eTrust-Vet 30.3.3125 10.10.2006 no virus found
DrWeb 4.33 10.10.2006 no virus found
Ewido 4.0 10.10.2006 no virus found
Fortinet 22.214.171.124 10.10.2006 suspicious
F-Prot 3.16f 10.09.2006 no virus found
F-Prot4 126.96.36.199 10.09.2006 no virus found
Ikarus 0.2.65.0 10.10.2006 no virus found
Kaspersky 188.8.131.52 10.10.2006 no virus found
McAfee 4869 10.09.2006 no virus found
Microsoft 1.1603 10.10.2006 no virus found
NOD32v2 1.1796 10.10.2006 a variant of Win32/Haxdoor
Norman 5.80.02 10.10.2006 Suspicious_F.gen
Panda 184.108.40.206 10.09.2006 Suspicious file
Sophos 4.10.0 10.05.2006 no virus found
TheHacker 6.0.1.094 10.08.2006 no virus found
UNA 1.83 10.09.2006 no virus found
VBA32 3.11.1 10.09.2006 no virus found
VirusBuster 4.3.7:9 10.09.2006 no virus found
Jotti's Malware scan:
Scanner Malware name
AVG Antivirus X
F-Prot Antivirus X
Kaspersky Anti-Virus X
Norman Virus Control Text/BotFTP.gen
So guys – especially Dell Customers – don't execute or download such attachments. I usually preview the emails from the server using Mailwasher Pro or ePrompter then I delete the bad emails from the server and simply download the good emails. I didn't do this time because I'm in a testing mood. If you aren't a tester, don't do it.
Update: I submitted the said .exe file to Symantec. The analysis of Symantec is: INFECTED and they named it as Backdoor.Haxdoor.R – http://www.symantec.com/security_response/writeup.jsp?docid=2006-101011-0842-99
Discovered: October 10, 2006Updated: October 10, 2006 03:04:03 PM GDTType: Trojan HorseInfection Length: 55,436 bytes.Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP