This is going to be one of those days where your average Trojan downloader get spammed at an approximate rate of a dozen per minute. We’ve just received another malware sample that downloads TROJ_SMALL.CPO and another yet unidentified file.
This downloader is attached to an email that uses social engineering to trick the users into opening the attachment. Presenting itself as an official looking email from a credit card service company, it instructs the user to verify the “payment details” contained in the attachment. The email details are as follows:
FROM:
Cihost Billing Management
SUBJECT:
[paycheck 322082] Credit Card Chargeback
BODY:
Sir,
We have received a notice from your card service stating that there was a chargeback made by the owner of the card that you paid for your account with. This is a very serious matter.
I have deducted the amount of the chargeback, GBP 102.10, from your account and added our standard fee of GBP 23.95 as well. (You can see your payment details in attachment.)
If there was some mistake, please let us know immediately so that we can get this situation resolved. We ask that you have the chargeback removed as soon as possible, as our account has already been debited for the amount in question.
If you would prefer to make your payment using a new payment method that would be fine as well (you can use a different credit card or you may send a money order payable to Cihost).
This is a time sensitive issue and must be resolved promptly at the request of the card service. Please email the billing team using the Web Administration Panel with information about how you are going to deal with this situation.
I thank you for your time and hope to hear from you soon.
See your payment details in attachment.
Sincerely,
Frank J. Cornwell
Cihost Billing Management
In light of the downloaders being spammed left and right, now might be a good time to reiterate a basic security practice: don’t open files attached to a suspicious email.
Note: A solution is currently underway for this threat and we’ll keep you posted for updates.
Update (Jasper, Wed, 23 Aug 2006 04:11:54 PM)
This threat will be detected as TROJ_SMALL.CPM. We’ll update you when the pattern is deployed.
Update (Jasper, Thu, 24 Aug 2006 10:00:22 AM)
The pattern for this malware has already been deployed in CPR 3.672.06.
