Medium
Alert ID:
29868
First Published:
2013 July 1 18:53 GMT
Last Updated:
2013 August 29 12:36 GMT
Version:
9
Summary
Email messages that are related to this threat (RuleID6381 and RuleID6381KVR) may contain the following files:
> specification.zip
specification.exe
girl.zip
girl.exe
Letter of Authorization.zip
Osee.exe
Gift.zip
Gift.exe
SecureMessage.zip
_SecureMessage.exe
_PaymentAdvice.zip
PaymentAdvice.exe
P-O.zip
done.exe
The specification.exe file in the specification.zip attachment has a file size of 346,704 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xC8082BCCC2F29B41D029208ABC19991B
The girl.exe file in the girl.zip attachment has a file size of 1,003,520 bytes. The MD5 checksum is the following string: 0xD3108DCD671A3089CC63CF7231E7B9E3
The Osee.exe file in the Letter of Authorization.zip attachment has a file size of 404,480 bytes. The MD5 checksum is the following string: 0x29F91AEBAC55521E58F239981350049C
The Gift.exe file in the Gift.zip attachment has a file size of 123,018 bytes. The MD5 checksum is the following string: 0xAAD613D9226AD3274E92093360D6AB9A
A variant of the specification.exe file in the specification.zip attachment has a file size of 812,544 bytes. The MD5 checksum is the following string: 0x4D1E7EA6CB093415C0129FD7CE040786
The SecureMessage.exe file in the SecureMessage.zip attachment has a file size of 118,784 bytes. The MD5 checksum is the following string: 0xC645DF9F57E6B7122B8B61EF63ABD431
A third variant of the specification.exe file in the specification.zip attachment has a file size of 696,320 bytes. The MD5 checksum is the following string: 0x0B37DCE785F8E465F5D15B6AD8325DF2
A variant of the SecureMessage.exe file in the SecureMessage.zip attachment has a file size of 121,856 bytes. The MD5 checksum is the following string: 0xAD474DB836F43DF6F5DFA3E6D627FB6A
The PaymentAdvice.exe file in the PaymentAdvice.zip attachment has a file size of 115,712 bytes. The MD5 checksum is the following string: 0xBAD273225554C8E82AC293EECF1882FE
The done.exe file in the P-O.zip attachment has a file size of 186,880 bytes. The MD5 checksum is the following string: 0xB79D1EC0F5ADFF48F84904AE95D2B4FC
A fourth variant of the specification.exe file in the specification.zip attachment has a file size of 732,160 bytes. The MD5 checksum is the following string: 0xC8B6FE50220917E147665F0465D1FB13
The following text is a sample of the email message that is associated with this threat outbreak:
> Subject: Business Specification
Message Body:
**We are a group of company based in Louisiana, United State of America and it is our pleasure to introduce our business to you. We went through your profile online and it caught our mind to send you a copy of our business outlines and specifications in a pdf format, which you can read by downloading the attached files.
We are interested in your business and services and this is why we sent you some of our specific need in your business.
You can reach us by calling or texting our contact number below to discuss the business over the phone if need be.
Thanks and hoping to read and doing business with you soon.
Stephen A Seedorf **
Or
> Subject: girl
Or
> Message Body:
**Dear Sir,
Today, As confirmed advised by our Bank. I have attached the authorization letter for you to sign, so we could
proceed with the payment as scheduled. Once we get the signed copy of letter attached, I will send you copy of
payment once its ready.
Regards,
Mr Jafar Ushman
Sunshine PTE FZE **
Or
> Message Body:
Australian Taxation Office logo
Dear e-Tax user,
Attached is your payment Slip for your 2012 Tax refunds.
Download to view if we got your correct account information so your payment won’t be delayed.
Australia Taxation Office.
Or
> Subject: Download Your Tax Refund Payment Report!
Message Body:
**Dear e-Tax user,
Attached is your payment Slip for your 2012 Tax refunds.
Download to view if we got your correct account information so your payment won’t be delayed.
Australia Taxation Office.
**
Or
> Subject: IMPORTANT - NatWest Secure Message
Message Body:
**You have received a secure message
Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 1055.
First time users - will need to register after opening the attachment.
About Email Encryption - hxxp://supportcentre.natwest.com/app/answers/detail/a_id/1671/kw/secure%20message **
Cisco Security analysts examine real-world email traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global email security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.
Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Email that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam email and hostile web URLs from being passed to the end user.
Related Links
Cisco Security
Cisco SenderBase Security Network
Revision History
* Version | Description | Section | Date |
---|---|---|---|
9 | Cisco Security has detected significant activity on August 29, 2013. | 2013-August-29 12:36 GMT | |
8 | Cisco Security has detected significant activity on August 27, 2013. |
| | 2013-August-27 12:29 GMT
7 | Cisco Security has detected significant activity on August 13, 2013.
| | 2013-August-13 16:01 GMT
6 | Cisco Security has detected significant activity on August 6, 2013.
| | 2013-August-08 19:42 GMT
5 | Cisco Security has detected significant activity on July 30, 2013.
| | 2013-July-31 13:42 GMT
4 | Cisco Security has detected significant activity on July 22, 2013.
| | 2013-July-23 14:44 GMT
3 | Cisco Security has detected significant activity on July 11, 2013.
| | 2013-July-11 13:31 GMT
2 | Cisco Security has detected significant activity on July 2, 2013.
| | 2013-July-02 15:44 GMT
1 | Cisco Security has detected significant activity on June 30, 2013. | | 2013-July-01 18:53 GMT
Show Less
Legal Disclaimer
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products