“Virus Check” Malware Attack in Japanese

We’ve recently seen a slew of emails that ask recipients to run a virus scan using an attached virus checking tool. We see emails like this pretty often; however, this time the language used in the attack is Japanese. According to JPCERT, the email has the following characteristics:

English translation:
Subject: [Emergency] all employees participate in searching for virus, malicious script
Body: Please follow the directions in the attached manual to confirm if there is a virus on the computer. Thanks for your cooperation.

The email has an attachment with an icon for a Microsoft Word file, but it's actually a screensaver file (.scr) as noted by the explanatory text in Japanese, which translates to “screensaver”.

When the user attempts to open the .scr file, a Word document opens as well, providing instructions on how to check for malware. This isn’t the executed file, but actually a file named virus.doc, which is dropped by the screensaver file. In the background, Trojan.Dropper is also dropped on the computer.

The Trojan.Dropper, that interestingly contains a fake digital signature, drops Backdoor.Trojan onto the system, which then spies on the computer.

It's not too common to see malware attacks in Japanese, but that doesn't mean they do not occur. Don’t be caught off guard—keep your virus definitions up-to-date and please follow security best practices, no matter what language is used.