Description
Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain a wire transfer notification for the recipient. The text in the e-mail message attempts to convince the recipient to open the attachment and view a copy of a receipt. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.
E-mail messages that are related to this threat (RuleID5563 and RuleID5563KVR) may contain the following files:
Payment slip ID-GF-37840.zip
Payment slip ID-GF-37840.exe
Payment notification id ED-4950.zip
Payment notification id ED-4950.exe
The Payment slip ID-GF-37840.exe file in the Payment slip ID-GF-37840.zip attachment has a file size of 72,704 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xDA86A2A45A60F1DD659CD1D942207ACD
The Payment notification id ED-4950.exe file size in the Payment notification id ED-4950.zip is not available. The MD5 checksum is also not available.
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Message Body:
From: "Bank of America"
To:
Date: Sun, 17 Mar 2013 12:43:33 -0500WIRE transaction is completed. $4597 has been successfully transferred. If the transaction was made by mistake please contact our customer serviceReceipt on payment is attached.*** This is an automatically generated email, please do not reply ***
Source: Cisco