Threat Outbreak Alert: Fake Photo Sharing Email Messages on March 18, 2014

2013-09-28T05:14:37
ID CISCO-THREAT-31006
Type ciscothreats
Reporter Cisco
Modified 2014-03-19T13:52:46

Description

Medium

Alert ID:

31006

First Published:

2013 September 28 05:14 GMT

Last Updated:

2014 March 19 13:52 GMT

Version:

5

Summary

  • Cisco Security has detected significant activity related to Italian-language spam email messages that claim to contain a personal photo for the recipient. The text in the message body attempts to persuade the recipient to open the attachment to view the photo. However, the .zip attachment contains a malicious .scr file that, when executed, attempts to infect the system with malicious code.

Email messages that are related to this threat (RuleID2970KVR and RuleID2970_1KVR) may contain the following files:

> sexy photo.zip
sexy photo.jpg.scr
travel-97167.zip
travel-00034.jpg.exe
IMG_176_890922_2014.zip
IMG_003_769085_2014.JPG..exe
Image_86930_01292014.zip
Image_65903_01292014.jpeg.exe
FOTOS_18-03-2014_00000111.JPEG.zip
FOTOS_18-03-2014_000001.JPEG.cpl
IMG2690974498-JPG.zip
IMG9684662555-JPG.scr
IMG058493fdt0530-JPG.zip
IMG0584930530-JPG.scr

The sexy photo.jpg.scr file in the sexy photo.zip attachment has a file size of 94,208 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xEE20890CFC6667B2BF70BD446AB1C094

The travel-00034.jpg.exe file in the travel-97167.zip attachment has a file size of 40,960 bytes. The MD5 checksum is the following string: 0x646F3ACF4DA957C82695D96DCEA19C3D

The IMG_003_769085_2014.JPG..exe file in the IMG_176_890922_2014.zip attachment has a file size of 93,184 bytes. The MD5 checksum is the following string: 0x88E1F8454A1B011FC1DAE2507BA325A5

The Image_65903_01292014.jpeg.exe file in the _Image_86930_01292014.zip _attachment has a file size of 77,625 bytes. The MD5 checksum is the following string: 0xF4C7BF04E36C19A4EACFA2D3800CA722

The FOTOS_18-03-2014_000001.JPEG.cpl file in the FOTOS_18-03-2014_00000111.JPEG.zip attachment has a file size of 302,080 bytes. The MD5 checksum is the following string: 0x9CA4D13AFB498D4CB2DC3A5384E821F3

The IMG9684662555-JPG.scr file in the IMG2690974498-JPG.zip attachment has a file size of 9,728 bytes. The MD5 checksum is the following string: 0x6F77282AB86E12BAC81D62FCF3ABBA12

The IMG0584930530-JPG.scr file in the IMG058493fdt0530-JPG.zip attachment has a file size of 106,794 bytes. The MD5 checksum is the following string: 0x95E52AADD60400D7DDB3AACA3173D136

The following text is a sample of the email message that is associated with this threat outbreak:

> Message Body:

ciao
Ho molta voglia di fare amicizia su Internet!
Trovo il tuo indirizzo email barbara.carnovale@libero.it e scrivere a voi!
Parlami di te?
Ti mando la mia foto
aspettare la tua lettera

Or

> Subject: Sent via BlackBerry

Message Body:

------ MMS ------
From: +17143618130/TYPE=PLMN
Received: Oct 02, 2013 6:13 AM
Sent via BlackBerry by AT&T

Or

> Subject: foto 23.01.2014

Message Body:

**Sent from my iPhone

**

Or

> Message Body:

Olha so as fotos que vou postar no face se tiver
alguma que vc nao quer que coloca me avisa aqui
tem umas suas ai viu rsrsrs

Or

> Subject: Check out this picture

Message Body:

;)

Or

> Message Body:

Hi, honey, I found your contact on a dating site, I send you my picture, I'm in the middle. I'd be happy if the answer to me.


> Cisco Security analysts examine real-world email traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global email security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.

Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Email that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam email and hostile web URLs from being passed to the end user.

Related Links
Cisco Security
Cisco SenderBase Security Network

Revision History

  • Version | Description | Section | Date
    ---|---|---|---
    5 | Cisco Security has detected significant activity on March 18, 2014. | | 2014-March-19 13:52 GMT
    4 | Cisco Security has detected significant activity on January 29, 2014. | | 2014-January-30 12:52 GMT
    3 | Cisco Security has detected significant activity on January 23, 2014. | | 2014-January-24 12:41 GMT
    2 | Cisco Security has detected significant activity on October 2, 2013. | | 2013-October-02 15:53 GMT
    1 | Cisco Security has detected significant activity on September 27, 2013. | | 2013-September-28 05:14 GMT
    Show Less

Legal Disclaimer

  • THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products