The other day, while previewing messages in my inbox, I saw a conspicuous message with the following parameters, typos included:

To: (email address)
CC: (email address),...
Subject: Your ex sent me this pciture of you.
Hey (email address),
Your ex sent me this picture claiming it's you. Is it really so? You probaly should see a doctor:) They can cure it now:).
Attachment: ""

The attached file is a ZIP archive that contains an executable file named "IMG04958.exe" (SHA1: 51dd01ab8f18bc5e7875526db241d4ea79c136e8), detected as Worm:Win32/Gamarue.E.

Scanning other messages, I noticed three additional spam campaigns using different subject lines and message body text:

  • "I got you busted bro. You won't deny the obvious now. Check the photo in attachment ."
  • "I'm sorry man you seem to be in trouble. My girfriend got this picture of you yesterday and sent to your wife. Hope you can handle it"
  • "I got your picture yesterday, who is that girl next to you? In attachment"

The theme of the spam uses a type of social engineering that leverages the shock of allegation to trick the recipient into opening the attached file. If the recipient opens the attached file in an unprotected environment, this Win32/Gamarue variant will try to download other malware.

  • Downloads "888.exe" from IP
    235964da72a80425dfb74efc264fa0ba4d8189c7 – Trojan:Win32/Hioles.C
  • Downloads "sol.exe" from IP
    cfb374ae373f49ed7bf8da92fe725b4eaff5e1a5 – Trojan:Win32/FakeSysdef

Gamarue also communicates with a command and control server on a bot network to perform actions against the infected computer.

It can't be emphasized enough in our recommendation that you apply an "ointment" (i.e. active security scanning) to help prevent "outbreaks".

-- Patrick Nolan, MMPC