Today, we caught a very pernicious spam loaded with malware from the “Better Business Bureau”.
Now, a more generic version of this spam was reported on an antispam forum recently, likely from a worm. However, this version we received today is highly personalized, possibly even a targeted attack.
Notice the level of personalization – Stu Sjouwerman is our VP of Marketing and Sunbelt Software, is, of course, us. Companies without adequate defenses may very well get this document and open it.
Analyzing the file showed all kinds of interesting things. It’s an RTF document that is using packager.exe to embed an OLE object that contains an FSG-packed download/worm (FSG is a type of packer commonly used by malware authors).
When opened, it downloads:
1. More malware
2. TightVNC
3. WinRAR
In essence, this thing is designed to steal data. The results on VirusTotal are very thin for this rtf document.
Alex Eckelberry
(Thanks to Sunbelters Adam Thomas and Eric Sites)