Since late last week, we have been observing a fair number of spams with a Trojan payload, purporting to be a money transfer notification from Western Union. The spam looks like this (the attachment in this screenshot has been stripped by a scanner — the actual attachment should read “Western Union Information.exe”:
The text may read something like this:
Dear Mike
Total of #3750 has been transferred by western union
MTCN number is 007-188-6024.
Enclosed is the western union sheet
Robert
or
Dear Mike
Total of $3750 has been transferred by wetern union
The MTCN number is 007-188-6024.
Enclosed is the transfer sheet
I hope this settles my transfer
Robert
The payload is Trojan.Perfloger (there are many other descriptions. A VirusTotal scan is here).
After the Trojan is executed, the user sees a text file:
But that, of course, is the least of their problems.
An analysis of the program is on the Sunbelt Sandbox, here.
Alex Eckelberry