Several of our ever-vigilant readers have warned us of a new targeted Trojan “document” that is being sent out specifically to executives in corporations.
Thanks Dan, Andy and Joe!
Subject of the emails were of the form:
Proforma Invoice for "Company Name" (Attn: "Executive Name")
The Body of the email included this text
The Proforma Invoice is attached to this message. You can find the file
in the attachments area of your email software.
PS: The invoice also includes the cost for the services provided for the
second quarter of 2007.
Please read, evaluate and reply with any comments. Thanks.
Beckman Instruments, Inc.
2500 Harbor Boulevard, E-26-C
Fullerton, CA 92634-3100"
It is another word “document” with a malicious embedded object similar to the BBB, IRS, FTC and other targeted trojan “documents” we have seen lately.
The file sent is Proforma_Invoice.doc
Those AV vendors that recognized at virustotal were:
Authentium 4.93.8 06.15.2007 W32/Dropper.ESR
Fortinet 220.127.116.11 06.15.2007 W32/Nuclear!tr
Sophos 4.18.0 06.12.2007 Troj/BHO-BP
Symantec 10 06.15.2007 Downloader
Panda 18.104.22.168 06.15.2007 Suspicious file
The document itself contains a icon of a pair of books (blue and yellow) and a magnifying glass and the text
“DOUBLE CLICK THE ICON ABOVE
TO VIEW THE DOCUMENT DETAILS”
The icon represents a “Packaged Object”.
Clicking the icon in XPsp2 resulted in a windows popup box that stated:
“The publisher could not be verified. Are you sure you want to run this software?
Publisher: Unknown Publisher
The three copies we have seen so far were all the same, all were 689,152 bytes long and all had a md5 hash of 47fff5b9d3765b70571454146ea9f244.
A word of caution: Do NOT open strange documents or run untrusted binaries on a machine you don’t wish to format and reinstall the OS on!
Most of us who do malware analysis have a machine that they can reinstall a fresh clean copy of the OS on if things go wrong and the ability to watch their network and see if anything is going wrong.