"Here you have" Email Campaign - malicious SCR masquerading as a PDF
You may have seen in the news that an email campaign with the subject "Here you have" is spreading in the wild. Websense Security Labs™ ThreatSeeker™ Network has been tracking this campaign over the last 24 hours.
While crafting and sending malicious PDF attachments with spam emails has become a common practice for malware authors, it is interesting to see that there's no need to re-invent the wheel. They can just use old techniques - in this case, masquerading .scr executable files under a link to a supposed PDF.
On 9 September 2010, we saw tens of thousands of these mails. The text in the email suggests that the recipient should look at the PDF document (using link 1), which in reality is an SCR executable file hidden under this link (link 2).
When the user clicks and follows the link, a malicious file is downloaded, which further spreads the email campaign by pillaging the user's Outlook address book. This makes the attack more convincing as the source of the email could be legitimate and trusted.
At the time of writing, the Multimania user area account which hosted the malicious SCR file has been deactivated; however the email campaign is still occurring.
As of yesterday afternoon US time the VirusTotal detection of the file was around 30%.
Websense® Messaging and Websense Web Security customers are protected against this attack.
We are aware that this threat has been a major issue for many organizations. We have confirmed that we have had detection for the file in WSG since November 2009. Please be aware that this worm has also been known to spread via different routes other than email, such as USB autorun and file shares.