Malware disguised as an MMS message
Contributed by: Email on 11/05/2012 02:57 PM [ Comments ]
Cyber criminals are currently spreading malware by sending a large number of email messages purporting to be from Vodafone's MMS gateway. These emails have the subject "You have received a new message" and claim that the recipient has been sent a picture message over MMS from a Vodafone customer.
The Vodafone email address used and the supposed telephone number sending the messages varies; even the country code is changed based on the location being targeted. For example, in the UK emails are being sent from mms@vodafone.co.uk and have the the +44 country code, while in Germany the messages claim to come from mms@vodafone.de and carry a +49 in front of the mobile number.
The messages say that a picture message is in the attached "Vodafone_MMS.zip" file. However, once unzipped, it only contains an executable named "Vodafone_MMS.jpg.exe" that will install malware onto a victim's system when launched. According to VirusTotal, the malware is currently only detected by just 8 of 44 anti-virus programs used by the online virus scanner service.
An analysis of the file in a sandbox leaves no doubts about its malicious intentions: among other things, it copies itself to C:\Documents and Settings\All Users\svchost.exe and then hides itself under SunJavaUpdateSched to launch when Windows first boots.
As always, users are advised to refrain from opening unsolicited attachments. To avoid accidentally opening such files and becoming infected with malware, Windows users should also make sure that file name extensions are always shown.
The Vodafone email address used and the supposed telephone number sending the messages varies; even the country code is changed based on the location being targeted. For example, in the UK emails are being sent from mms@vodafone.co.uk and have the the +44 country code, while in Germany the messages claim to come from mms@vodafone.de and carry a +49 in front of the mobile number.
The messages say that a picture message is in the attached "Vodafone_MMS.zip" file. However, once unzipped, it only contains an executable named "Vodafone_MMS.jpg.exe" that will install malware onto a victim's system when launched. According to VirusTotal, the malware is currently only detected by just 8 of 44 anti-virus programs used by the online virus scanner service.
An analysis of the file in a sandbox leaves no doubts about its malicious intentions: among other things, it copies itself to C:\Documents and Settings\All Users\svchost.exe and then hides itself under SunJavaUpdateSched to launch when Windows first boots.
As always, users are advised to refrain from opening unsolicited attachments. To avoid accidentally opening such files and becoming infected with malware, Windows users should also make sure that file name extensions are always shown.
Comments