Malware being spammed as PDF from retail stores

Malware being spammed as PDF from retail stores

Summary: Reports surfaced today of spam purporting to be from Dell, Walmart, Circuit City or Sony confirming an order for a Sony Vaio computer with a PDF attachment, but the attachment is, in fact, a very nasty piece of malware named Haxdoor. Text of email:Subject: Order ID : 37679041Dear Customer,Thank you for ordering from our internet shop.

SHARE:
TOPICS: Security
13

Reports surfaced today of spam purporting to be from Dell, Walmart, Circuit City or Sony confirming an order for a Sony Vaio computer with a PDF attachment, but the attachment is, in fact, a very nasty piece of malware named Haxdoor. Text of email:

Subject: Order ID : 37679041

Dear Customer,

Thank you for ordering from our internet shop. If you paid with a credit card, the charge on your statement will be from name of our shop. This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.

Date : 08 Oct 2006 - 12:40

Order ID : 37679041

Payment by Credit card

Product : Quantity : Price

WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99

Subtotal : 2,449.99

Shipping : 32.88

TOTAL : 2,482.87

Your Order Summary located in the attachment file ( self-extracting archive with "37679041.pdf" file ).  PDF (Portable Document Format) files are created by Adobe Acrobat software and can be viewed with Adobe Acrobat Reader.  If you do not already have this viewer configured on a local drive, you may download it for free from Adobe's Web site.

We will ship your order from the warehouse nearest to you that has your items in stock (NY, TN, UT & CA). We strive to ship all orders the same day, but please allow 24hrs for processing.

You will receive another email with tracking information soon.

We hope you enjoy your order! Thank you for shopping with us!

Donna's Security Flash blogged this and it was posted at CastleCops security forum.  I wouldn't be surprised if a lot of people fall for this.  As the poster at Castle Cops said:

So you're sitting there scratching your head thinking "What order?" Boy oh boy... I sure as heck didn't oder no stinkin $2,449.99 Sony VAIO from Circuit City!

Really makes ya wanna open that zip file to see if you've been had, right?

The supposed PDF attachment is really an executable named 37679041.exe, which is detected by AV vendors by various names.  Kaspersky named it Backdoor.Win32.Haxdoor.lf.  Symantec detects it as Backdoor.Haxdoor.R and others are calling it a variant of Goldun. Whatever you call it, it's quite an evil piece of malware. Haxdoor typically uses rootkit technology to mask itself.  Haxdoor is known to steal passwords, give a remote attacker access to the machine, may display advertising and often makes changes to the registry that lower system security. Some variants also disable software firewalls and anti-virus apps.  McAfee has a report here.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • It also comes from eBay and Amazon

    Bottom line, none of these sites send your order in a zip file.

    Happens a lot more frequently now - social engineering ramping up. Be careful out there!
    Confused by religion
    • eBay

      I actually got a similar email that looked legitimate right after an auction I won closed on eBay. I don't know how they did it, but the bottom line was that in this case it linked to a spoof eBay site that tried to snarf my ID/Password for PayPal.
      t0pcat
  • ANOTHER reason to not use Outlook and...

    use Thunderbird, Eudora, etc., instead. While Outlook is handy, its lack of security makes it garbage, IM<b>A</b>O (Arrogant, rather than Humble).

    ALSO, TURN OFF THAT <b><i>IGNORANT</i></b> "<i>hide extensions for known file types</i>" option. Whomever thought that one up needs to stop bashing himself in the head with a hammer because his brain is nonexistent!! DUH!!!

    Of course, if the nimnals at Microsuck ever used their brains, they would give us a way to turn off the automatic VBScript execution...
    scomanjim
    • Out;look is not the problem

      No matter what email client someone is using, they should not open unexpected attachments unless they contact the sender to confirm it's legitimate. It's not Microsoft's fault people fall prey to clever social engineering.
      Suzi_z
    • What does Outlook have to do with it?

      Outlook has nothing to do with this problem. Reading the email does no harm, it's opening the attachment that causes all the problems. The people who open the attachment are also a problem because they didn't think about it being a scam. You get an email from someone you don't know or expect and you blindly believe what they say and open an unknown attachment? Not a smart thing to do....

      Another thing is that if you are using an anti virus program and it is set to scan emails then this should be caught before it's even opened.
      k12IT
    • Guess what...

      Guess what happens when you click an attachment in Thunderbird and Eudora and about every other email program out there...

      If this had something to do with the Preview Pane then maybe you'd have a point, but it doesn't.

      The strange part that should bother everyone is that DELL is listed as a possible sender of the Sony VAIO purchase.

      Who HERE has falling for this? This is DELL. Wanted to thank you for buying Sony.

      I actually laughed.
      dbisse@...
  • Message has been deleted.

    opensourcepro
  • I've lucked out so far. I haven't seen anything like this in my emails,

    but then I've been deleting the spam without opening it, so I haven't had a chance to see this. Stories like this have kept me alert to such tactics. Also, since I use a web-based email client, I don't use Outlook or anything like it to download it to my system; The spam stays on the web-client and the mal gets deleted with it.
    Mr. Roboto
    • Best practice

      " I've been deleting the spam without opening it,"

      That's the best thing to do because spam can contain web bugs that lets the spammer know they got a live email address when opened.
      Suzi_z
  • Haxdoor trojan letters

    I got one of these fake Sony Vaio receipts today. My anti-vrisu software correctly pegged its nature.

    The thing I'm surious about is that some people I know are getting the emails with my name on them. I have no sign that my computers are infected. Has anyone seen this before?
    rheyduck
    • Spam is "from you"

      This is almost standard now. Someone's computer gets infected, and they have your name in their address book. The spam-bot picks sender names at random from the address book (including your name), while also spamming everyone in the book. It is almost impossible to track down the original sender.
      barence773
  • Spread of malware not limited to address books

    Malware is spreading to more than just address books these days. I've received e-mails cloaked with an individual's e-mail address. Since that person is totally unknown to me, I wouldn't be in their address book. Spammers are now identity thieves using addresses garnered from legitimate commercial activities who happen to use the same marketing ISP groups.
    shechief
  • RE: Malware being spammed as PDF from retail stores

    http://www.analogstereo.com/cheap_car_insurance.htm
    us_forums@...