The other day, while previewing messages in my inbox, I saw a conspicuous message with the following parameters, typos included:


To: (email address)
CC: (email address),...
Subject: Your ex sent me this pciture of you.
Body:
Hey (email address),
Your ex sent me this picture claiming it's you. Is it really so? You probaly should see a doctor:) They can cure it now:).
Attachment: "Photo.zip"

The attached file is a ZIP archive that contains an executable file named "IMG04958.exe" (SHA1: 51dd01ab8f18bc5e7875526db241d4ea79c136e8), detected as Worm:Win32/Gamarue.E.

Scanning other messages, I noticed three additional spam campaigns using different subject lines and message body text:

  • "I got you busted bro. You won't deny the obvious now. Check the photo in attachment ."
  • "I'm sorry man you seem to be in trouble. My girfriend got this picture of you yesterday and sent to your wife. Hope you can handle it"
  • "I got your picture yesterday, who is that girl next to you? In attachment"

The theme of the spam uses a type of social engineering that leverages the shock of allegation to trick the recipient into opening the attached file. If the recipient opens the attached file in an unprotected environment, this Win32/Gamarue variant will try to download other malware.

  • Downloads "888.exe" from IP 67.210.xxx.xxx:
    235964da72a80425dfb74efc264fa0ba4d8189c7 – Trojan:Win32/Hioles.C
  • Downloads "sol.exe" from IP 176.31.xxx.xxx:
    cfb374ae373f49ed7bf8da92fe725b4eaff5e1a5 – Trojan:Win32/FakeSysdef

Gamarue also communicates with a command and control server on a bot network to perform actions against the infected computer.

It can't be emphasized enough in our recommendation that you apply an "ointment" (i.e. active security scanning) to help prevent "outbreaks".

-- Patrick Nolan, MMPC