Email is a great way to communicate with a wide audience, and the bad guys know it. We have seen yet another case of spam email that contains malicious code as an attachment. The attachment is a ZIP file (WC2905036.zip -> WC2905036.exe) that contains a Trojan horse program that will create a backdoor on a user's system when executed. This threat is detected as Backdoor.Haxdoor.O. Some variants may be detected as Backdoor.Haxdoor.I.
This Trojan attempts several things: downloads and executes files, logs keystrokes, listens on TCP ports, etc. We have only seen a few minor variants thus far, but one thing to be aware of is that the spam email purports to be from an online retailer that is asking the user to review an attached invoice. We have seen two versions of the email so far, and two different versions of the file attached to the email. It may be that the sender plans on using multiple versions of the spam in an attempt to bypass scanners. This may be originating from a Russian source, based on similarities to previous versions of Backdoor.Haxdoor. However, this is speculation at this point. The email text shows signs of being composed by a non-native English speaker.
Normally Symantec wouldn’t issue an outbreak blog about a Category 1 backdoor threat, but we have received a number of inquiries about this and our submission rate of this threat is higher than normal. In addition, the spam email claims to be coming from legitimate online retailers, so we’re watching this one very closely. Symantec has published updated virus definitions to detect these variants. For more information on this threat, you should visit Symantec's Threat Advisory Center.
Symantec recommends the following actions to prevent infection:
• Avoid opening unknown or unexpected e-mail attachments or following Web links from unknown or unverified sources.
• Run LiveUpdate and ensure you have the latest AntiVirus definitions.
• Use an Internet security solution such as Norton Internet Security to protect against today's known and tomorrow's unknown threats.
Taking steps like the ones listed above will go a long way towards keeping you safe on the Internet. We have seen hundreds of social engineering attacks over the years, and we will probably continue to see them. Why? Because unfortunately, they often work.