Spam mails promoting a a rally against newly elected president Vladimir Putin of Russia began around March 5. The attachment in the spam mail leads to malware infection, warned by Symantec Researchers.
Spam mail contains an attachment purporting to contain details of an upcoming anti-Putin demonstration accompanied email subjects with varying call-to-action lines:
The body of the email contains just one sentence indicating the attached document contains “Instructions of your actions on rally against Putin” or “It is very important that you know what to do on the day as everybody will follow the same instructions”. This trick users into download the malicious attachment.
Symantec security solution detect the attachment as Trojan.Dropper, ontains a malicious macro, which drops and executes an encrypted executable component detected as Trojan.Gen.
If macros are enabled when the document opens, a particularly nasty Trojan is executed that searches for and then overwrites any files with the following extensions:.7z, .doc, .exe, .msc, .rar, .xls ,.zip.
Once it has destroyed all of the above files by overwriting them, it then runs code to cause the computer to crash (blue screen) through a call to the RtlSetProcessIsCritical API.
Spam mail contains an attachment purporting to contain details of an upcoming anti-Putin demonstration accompanied email subjects with varying call-to-action lines:
- “All to demonstration”
- “Instructions what to do”
- “Meeting for the equal elections”
Image Credits: Symantec |
The body of the email contains just one sentence indicating the attached document contains “Instructions of your actions on rally against Putin” or “It is very important that you know what to do on the day as everybody will follow the same instructions”. This trick users into download the malicious attachment.
Symantec security solution detect the attachment as Trojan.Dropper, ontains a malicious macro, which drops and executes an encrypted executable component detected as Trojan.Gen.
If macros are enabled when the document opens, a particularly nasty Trojan is executed that searches for and then overwrites any files with the following extensions:.7z, .doc, .exe, .msc, .rar, .xls ,.zip.
Once it has destroyed all of the above files by overwriting them, it then runs code to cause the computer to crash (blue screen) through a call to the RtlSetProcessIsCritical API.