Security Response has received reports of a fake email purporting to have come from the US Department of Justice. The email informs the recipient of a complaint received by the IRS against the recipient’s business. The email looks reasonably well crafted and most people would tend to treat emails from the US Department of Justice with at least a bit of urgency.
The details of the email are as follows:
Complaint Case Number: 895285164 (Note the case number may vary)
US Department of Justice [firstname.lastname@example.org]
The email may contain the following text. Please note that the name of the plaintiff, the date and case number may vary. Despite the message that states an attachment is included with the email, there may or may not be any attachments.
Dear citizen ,
A complaint has been filled against your company in regards to the business services it provides .The complaint was filled by Mr. Henry Stewart on 06/19/2007/ and has been forwarded to us and the IRS .
Complaint Case Number: 895285164
A copy of the original complaint and the contact information of Mr. Henry Stewart has been attached to this e-mail.
original_complaint.doc (already detected as Trojan.Trickanclick)
When this document is opened, it contains a message asking the user to manually open an embedded MSWord.exe (already detected as Downloader) file due to problems encountered by Microsoft word. If the embedded .exe file is run, it attempts to download other files from a remote location. At this time the remote files are unavailable.
Users of Symantec Antivirus products are already protected; however users should remain vigilant.
In addition Symantec Security Response recommends the following:
• DO NOT respond to this email.
• DO NOT double click or open any attachments that may be found in the email.
• DO NOT follow or click on any links that may be found in the email.
• Delete this email.
• Ensure that their antivirus definitions are up to date.
As in interesting twist to this tale, we have also reasons to believe that the people responsible for this spam run may also be responsible for the recent fake Microsoft patch emails as well. The executable file used in both attacks is in fact the same but with the file names changed to suit the nature of the social engineering trick used. Given the low tech methods employed in these attacks it would appear that they are mounted by relative amateur players.
Based on current form, we would expect to see these busy bodies repackaging this Trojan in the form of a new scam email and dishing it up again and again. July the fourth is just around the corner and the reappearance of this Trojan in bogus electronic greeting card emails for July 4th celebrations is a pretty good bet.