Description
Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain a scanned document sent from a XEROX WorkCentre Pro device for the recipient. The text in the e-mail message instructs the recipient to open the link to view the document. However, the link contains a .zip file containing a malicious .exe file that, when executed, attempts to infect the system with malicious code.
E-mail messages that are related to this threat (RuleID5641) may contain the following files:
InfoBlocco.zip
InfoBlocco.Pdf___________.exe
The InfoBlocco.Pdf___________.exe file in the InfoBlocco.zip archive has a file size of 320,000 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xCEB0C01E110432A0D896BF801C09FFBC
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Subject: Re: Monte Biz
Message Body:
Good morning,
Please read the document.
http: //50.63.190.129/Notare/InfoBlocco.zip?peQLcliQ=idrocat@libero.it
It was scanned and sent to you using a XER0X WorkCentre Pro.
Sent by: Support Number of Document: 1
File Type: ZIP [DOC]
WorkCentre Pro Location:
machine loctaion not set Device Name: 327387162012766.
Source: Cisco Systems