Spam Daily News | UK inboxes exposed to Trojan-laden emails

From Spam Daily News

News
UK inboxes exposed to Trojan-laden emails
Posted on March 21, 2006

On-demand security services company BlackSpider Technologies estimates that more than 455,000 emails containing the Trojan Downloader.Win32.Agent.adu, aka Clagger-K, hit UK inboxes yesterday during a three-hour window of exposure – the time between the virus being released and an anti-virus vendor issuing a patch.

A second wave, containing the Trojan Downloader.Win32.Agent.dsl, struck this morning with more than 195,000 Trojan infected emails being sent to UK businesses before a patch was issued by the anti-virus community.

Both emails used the same subject line and text in the body of the email, using a transaction to online retailer Amazon as a lure to open the attachment. When the attachment is opened, the Trojan is downloaded:

From: Amazon.co.uk Subject: Your payment done. Dear customer! We're writing to let you know that we've initiated a transfer from your bank account (Last 4-digits: 0402) for the following amount: GBP 313.14 (ORDER #0220873 , DATE #20.03.2006) Funds should leave account in approximately three to five working days. See your statement details in attachment. To review your account at any time, please access your Account Summary: https://payments.amazon.co.uk/ exec/login? If you have any questions or concerns regarding this settlement, please contact us at payments-support@amazon.co.uk Amazon.co.uk Marketplace -- Amazon Services Europe S.a.r.l. Sell Your Stuff http://www.amazon.co.uk

Attached file: STATEMENT_#0220873.exe

"These emails do not really come from Amazon, and clicking on the attached file will install a malicious Trojan horse on your computer," said Graham Cluley, senior technology consultant at Sophos. "Once it has slipped under your radar, this Trojan is capable of downloading further malicious code from the Internet, giving hackers access to your PC. A real message from Amazon would never contain an attached executable file, and people should always think carefully before running unsolicited code on their computer."

James Kay, CTO, BlackSpider Technologies, comments: "This was a particularly opportunist attack. Emails from the first wave were still being released by the hacker when the second wave struck. Anti-virus vendors were probably not expecting a second – and very similar – wave to occur while the first attack was still happening. Not only was the first attack successful, it also effectively acted as a smokescreen and allowed the second strike to catch the anti-virus community off guard, which is why it enjoyed a window of exposure of more than three hours."
SOURCE: IT Backbones Limited