Mass Scam Email Impersonating HKCERT Distributing Malware
Last Update Date:
25 Jan 2013 20:00
Release Date:
25 Jan 2013
3492
Views
RISK: High Risk
TYPE: Attacks - Malware
HKCERT received an incident report related to a scam email on 25 Jan 2013. The scam email impersonated as HKCERT alert email sent to the public about an extremely critical vulnerability.
- The sender address of the scam email is "[email protected]", with the subject "保安漏洞:瀏覽器插件嚴重漏洞".
- The content of the scam email is in Chinese, and urged the recipient to install the so called "Adobe Flash Player patch" attached in the email.
- The file is already verified as a malware by our analysis. If the target system is infected by the malware attachment, it will connect to the website w w w . c a t n m e n . c o m. The website was unavailable at the time of analysis.
System / Technologies affected
- Certain Windows platforms
Solutions
Detection
- The infected system will have the following folders/files created:
- %AppData%\httpsrv.exe
- %Temp%\adobe_flashplayer11x32_installer.exe
- %Temp%\adobe_flashplayer11x32_update.exe
- The following anti-virus applications can detect the scam email attachment as malware:
- AVG
- BitDefender
- DrWeb
- F-Secure
- Kaspersky
Prevention
- The scam email is sent from 122.10.35.156. In mail server/firewall, deny access from this IP address.
- HKCERT have never sent any email on behalf of "[email protected]". Besides, the vulnerability alert email sent by HKCERT will not have any file attached. Do not open any file attached in the scam email.
Vulnerability Identifier
- No CVE information is available
Source
Related Link
Share with