Tuesday, April 24, 2012

You HAVE to check this picture

In today's post, we'll be highlighting an older trick that's being used again by spammers and malware authors.

I received the following mail:

"Excuse me,I got to show you this picture in attachment. I can't tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who's that dude??."

Some other example mails with a similar subject and content:
RE:Check the attachment you have to react somehow to this picture
Hello ,
I have a question- have you seen this picture of yours in attachment?? Three facebook friends sent it to me today... why did you put it online? wouldn't it harm your job? what if parents see it? you must be way cooler than I thought about you man :)))) .

RE:You HAVE to check this photo in attachment man
Hi there ,
But I really need to ask you - is it you at this picture in attachment? I can't tell you where I got this picture it doesn't actually matter... The question is is it really you???.

There are a few more but I'll stop there. In all cases, you HAVE to check the picture in attachment, how else can you be sure it's not you in an embarrasing photo ;-) ?

Attached is a file called IMG9837.dat. In fact, an executable is embedded with the exact same name:

An Adobe icon is used to trick the user

When executing this file, it will phone home or call back (this term is used for malware that is connecting to a remote address for either receiving instructions or downloading additional malware) to the following IP:

Scanreport by IPvoid - http://ipvoid.com/scan/

In this case, the malware downloads an additional executable called fas.exe. Let's review some more information about both files:

Result: 26/42
MD5: bc3f1b422b01781ad23bd33340ece671
VirusTotal Report
ThreatExpert Report
Anubis Report

Result: 3/41
MD5: 6ffb6ce20915dfb7f723d46fcea87b3f
VirusTotal Report
ThreatExpert Report
Anubis Report

In this case, fas.exe will load one of the known fake Defragger rogues, for example:

System Defragmenter. This rogueware also hides your Desktop and Start Menu
(picture: bleepingcomputer.com)


- Be wary when receiving such emails, even if it's from someone you know.
- Don't open attachments from unknown senders - ever.


If the harm is already done and you are getting warnings, messages or pop-ups stating you are infected and you need to take 'immediate action' to clean your computer, follow the guide below at BleepingComputer's to rid yourself of this malware:

BleepingComputer's Virus Removal


Pretty simple. Never open any emails from unknown senders, and certainly not attachments.

Keep your Antivirus and Operating System up-to-date, as well as your applications (for example Adobe and Java) !

Follow the steps above should you have been hit by this spam campaign/rogueware.


  1. Hi! Does the rate of updates of your portal depend on specific things or you work on articles when you have an inspiration or write blog entries in case you have sufficient time on it? Many thanks in advance for your reply.

    1. Depends, mostly if I stumble upon something interesting, I post about it.