During past few weeks I had lot of calls from the users related to increased number of the spam e-mails with a virus in the attachment. That virus is in the form of a JScript executable file inside a zip archive file.
Name of that archive file, and also an executable file, is often something like Document, Scan document, Invoice or Refund. Any of those names can have some numbers in the name. On first look they are legitimate documents. However, if you believe that those files are a legitimate documents and try to open them, you will execute a Trojan virus. That virus often open a backdoor on your computer and preparing download of other malicious code.
In most cases, those messages are sent from an e-mail addresses which you can relatively easy identify as fake e-mail. Name of the sender can be senseless. Also, if you look on the e-mail address, you will see some numbers behind name. Company related e-mail addresses rarely have numbers.
In meantime, those e-mail messages evolved. We can see examples of “documents” sent from addresses like email@example.com or firstname.lastname@example.org. The domain company.com is actually a domain of your company. In most companies that using network based printers and scanners, such e-mails really exists. Well, sometime, IT people is not too creative.
As last version of those e-mails, we can see an e-mails pretending that the sender is same as the recipient. When an user see such e-mail, he will either curiously open it to see what he send to himself (worst case scenario) or immediate call IT support helpdesk (best case scenario). Don’t worry, if you see an e-mail like this you, most likely you didn’t sent anything to you and you don’t have virus on your computer. And always call the IT helpdesk if you’re not sure what to do.
Those e-mails arriving from different computers around the world. In most cases, sending machine is a part of the wider bot network. You can’t simple block sending IP addresses. However, the largest problem is that many anti-virus (AV) solution doesn’t detect them fast enough after their appearance in the wild. That means that such e-mails can pass many AV filters.
Anatomy of the message
We will show now how this looks like in a real life. You opened your mailbox (this screenshots are from the Microsoft Outlook 2013, but it’s very similar in other e-mail clients). And, between all other messages, you see one like this:
Well, someone want to refund me a money. That’s very nice if there is a reason for that. Now, you should ask yourself do you expect any refund. However, if you’re curious and you know how to safely open suspicious e-mail message, you can open an e-mail. Remember, you should be very careful when opening any suspicious e-mail.
Opening e-mail itself will not run a virus in this case. The virus is in an archive attached with the e-mail.
We opened e-mail message and we can see some text similar to this:
Now we will see all unusual or suspicious parts of this e-mail.
On beginning, we can see some sender name. It should looks like real name, so many recipients maybe will not found that part strange. However, if you can’t recognize name and the e-mail claims that contain documents, be careful. Even more, you should be very paranoid.
An e-mail address in the parenthesis contains some numbers (in this example 8276). This is very strange, as corporate e-mail addresses rarely contains numbers. This is more like an e-mail address on the public e-mail server or an account on the social network.
As we know, every e-mail address contains an user name and the domain. The domain is part behind at sign (@) . You’re right, we can’t knew all and every single DNS, and therefore an e-mail, domain in the World. We even don’t know all domains inside our country. In theory, a domain like this can exist. We can check that if we have time. I described that technique in previous post about wrong DNS record. However, if you working with some company and if they need to pay you, at least you will knew their domain. Therefore, please pay attention on this part.
The third thing is greeting. As we can see, here is used an account name with lowercase letters as personal name of the recipient. No person shall write like this, so we have one more proof that this is a machine generated message.
In the first paragraph of the message we can read that some company (here one named Sound Oil) needs to refund some money to us. But wait. If you need to refund me money, I need to previously pay you something. If I didn’t, then I can’t expect any refund. One more clue that this is fake e-mail.
On top of that, name of the company (Sound Oil) and the sender domain (timelex.eu) are not compatible. In most cases this should be similar. I can expect that sender is from soundoil.com or similar domain. In very rare case, if some third company mediates between your company and other side, you can expect e-mail like this. However, you should know that such company exists. And again, you knew the e-mail domain and the person with whom you’re working.
If we analyze the e-mail text, we will see that it’s just seams to be in correct English. The sentence The refund will go to your bank account is correct if you personally claim for the refund and small amount. However, if one company needs to refund money to other company, then it should sounds more like funds will be credited back to the payment account used. Therefore, this can be also the signal about the fake e-mail.
And last error we can see is in the signature. In this example, we can see that half of the title is missing. Person is Vice president of what. Further more, we should ask ourselves why Vice President sending such announcement about refunding, when every company should have someone on position of Account manager, Head of accounts or Chief Payments Officer.
The anti-virus analysis
We can save attachment on disk. If we just save it, but not opening it, we are safe. Now we will upload sample to the website Virus Total. Behind that site are more then 50 antivirus programs. They will all analyze uploaded file and return report about it.
Unfortunately, analysis is very unpleasant. Just 6 out of 57 AV programs found this as the malicious code.
In my experience, every time when I send some sample that found in my Inbox, detection ratio was small. Not every time same AV engines found malware code. However, number of engines that catch it as malware is always small.
I just checked Virus Total now and detection rate for this sample raised to 29 of 56 AV engines. That is big improvement. Only problem is that virus was in the wild for some time and probably made some damage.
What is inside the archive?
We will now check what is inside archive.
I am not suggesting you to do this, but if you do, you’re on your own. You opening archive on your own risk.
Word of caution. I made all those probes and the tests in a strictly controlled environment. I used a virtual machine, not connected to the network and not part of the domain. Therefore, if something bad happens to that machine, it’s localized. Further more, I will just replace infected virtual hard disk with a healthy one.
We can see on this screenshot that our sample contains two files with the js extension. This extension is related to Java Script or JScript executable script file, often used for a dynamic Web pages. It’s easy to execute them on almost any computer as they are not related to the operating system and you don’t need administrator’s rights.
JScript files are textual files. We can open them with Notepad.
My advice is to not open those files just to see what’s inside. However, if you’re doing so, you must right click on them and choose option Edit from the context menu. If you choose Open, then you’ll execute them and activate virus. From all of this, best action is just to delete whole e-mail.
What should you do with such an e-mail?
First of all, do not open it. Well, everyone can click on such fake e-mail when they are in hurry and waiting some urgent e-mail with similar content. Therefore, you need to be very careful.
If you see at least one suspicious thing about any e-mail, check it double before opening.
When you’re sure that this is fake e-mail, I’ll suggest to drag it to the Junk (or Spam) folder. With that we will begun to learn the spam engine that the e-mails similar to that one are not good. After some time, your e-mail client (MS Outlook in this case) will separate similar e-mails automatically.
All you need to do is to check Junk folder for correct e-mails. If you find some regular e-mail there, which can happens from time to time, drag them back to the Inbox and then just empty the Junk e-mail.
In case that your antivirus didn’t detected this virus, you can always send it to the vendor. They collecting undetected virus samples and use them to improve their antivirus database. Your submission can be valuable piece in that effort.