Hi all, Adam Thomas here from the Spyware Research team.
We continue to receive reports of attacks claiming to be “Internal Revenue Service Complaint” or Better Business Bureau complaints. In fact, Alex just received this message below:
As we have mentioned before, malware authors have been embedding Trojans inside of .RTF documents. This particular attack however contains a link to download the “complaint documents”:
http://business-complaints.com/{removed}.doc.exe
It is interesting to note that this malware fails to execute unless a specific DLL is present on the system: QTINTF.dll – This DLL is used and installed by Borland Delphi applications. Considering this, we are not too sure how effective this particualr attack will be. I will note though that Alex actually used to be an employee of Borland.
With the correct DLL present, the Trojan is able to execute. An instance of Internet Explorer is launched and your browser is pointed to a web page informing you that the complaint is closed and to disregard and further notifications :
The Trojan then collects stolen data (URL’s visited and data from web forms) using a Browser Helper Object (BHO). This data is then uploaded to these two domains:
hxxp://business-complaints.com/
hxxp://here4life.org/includes/
Of course we will continue to monitor this ongoing situation and keep you all informed whenever we have more information.
One final note: The IRS has asked that anyone who receives a suspicious email such as this, to please forward the email to them: phishing@irs.gov
Adam Thomas
UPDATE: The malware authors have modified their code. As a result, the Trojan no longer requires the aforementioned DLL in order to run.