I received the following mail:
"Excuse me,I got to show you this picture in attachment. I can't tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who's that dude??."
Some other example mails with a similar subject and content:
RE:Check the attachment you have to react somehow to this picture
Hello ,
I have a question- have you seen this picture of yours in attachment?? Three facebook friends sent it to me today... why did you put it online? wouldn't it harm your job? what if parents see it? you must be way cooler than I thought about you man :)))) .
RE:You HAVE to check this photo in attachment man
Hi there ,
But I really need to ask you - is it you at this picture in attachment? I can't tell you where I got this picture it doesn't actually matter... The question is is it really you???.
There are a few more but I'll stop there. In all cases, you HAVE to check the picture in attachment, how else can you be sure it's not you in an embarrasing photo ;-) ?
Attached is a file called IMG9837.dat. In fact, an executable is embedded with the exact same name:
An Adobe icon is used to trick the user
When executing this file, it will phone home or call back (this term is used for malware that is connecting to a remote address for either receiving instructions or downloading additional malware) to the following IP: 92.246.166.131
Scanreport by IPvoid - http://ipvoid.com/scan/92.246.166.131
In this case, the malware downloads an additional executable called fas.exe. Let's review some more information about both files:
IMG9837.exe
Result: 26/42
MD5: bc3f1b422b01781ad23bd33340ece671
VirusTotal Report
ThreatExpert Report
Anubis Report
fas.exe
Result: 3/41
MD5: 6ffb6ce20915dfb7f723d46fcea87b3f
VirusTotal Report
ThreatExpert Report
Anubis Report
In this case, fas.exe will load one of the known fake Defragger rogues, for example:
System Defragmenter. This rogueware also hides your Desktop and Start Menu
(picture: bleepingcomputer.com)
Prevention
- Be wary when receiving such emails, even if it's from someone you know.
- Don't open attachments from unknown senders - ever.
Desinfection
If the harm is already done and you are getting warnings, messages or pop-ups stating you are infected and you need to take 'immediate action' to clean your computer, follow the guide below at BleepingComputer's to rid yourself of this malware:
BleepingComputer's Virus Removal
Conclusion
Pretty simple. Never open any emails from unknown senders, and certainly not attachments.
Keep your Antivirus and Operating System up-to-date, as well as your applications (for example Adobe and Java) !
Follow the steps above should you have been hit by this spam campaign/rogueware.