Email Thank you for your application = Virus

We received a new email that contains a suspicious ZIP file named copy of your application.zip. The email looks like the same family of the previous Hallmark and fake Job CocaCola emails.

Email Screenshot

The extracted file use the same trick as all the other spam emails, it add 8+ characters of space after the first extension .PDF and at the end of the null chars we can see the real .EXE extension.

Screenshot

Report Generated 18.2.2009 at 14.54.36 (GMT 1)
Time for scan: 41 seconds
Filename: copyofyourapplication.pdf.exe
File size: 296 KB
MD5 Hash: 6772862AB65D1F145E36B85A7D731EA0
SHA1 Hash: B87D9B6C019892219E492FBF9CD297841B351C5C
CRC32: 147388102
Application Type: Executable (EXE) 32bit
Detection Rate: 12 on 22 (27,27 %)

Antivirus Sig Version Result
a-squared 18/02/2009 Riskware.Win32.CeeInject!IK
Avira AntiVir 7.1.2.46 Worm/Prolaco.303616
Avast 090217-0 Win32:Trojan-gen {Other}
BitDefender 18/02/2009 Win32.Worm.Prolaco.C
F-PROT 6 20090217 W32/Trojan2.FYQF
IkarusT3 18/02/2009 VirTool.Win32.CeeInject
Kaspersky 18/02/2009 Trojan.Win32.Buzus.alvw
McAfee 18/02/2009 W32/Xirtem@MM virus
MHR 18/02/2009 Virus Found – detect rate 11%
NOD32 v3 3864 Win32/Agent.OWX
Norman W32/Buzus.JUZ
Sophos 18/02/2009 Mal/CryptBox-A

This is the header of the email:

1
2
3
4
5
6
7
Received: from outgoing.holservices.gr (outgoing.holservices.gr [62.38.2.44])
Received: from unknown (HELO deliver.mail.dc.hol.net) (192.168.20.70) by arete.mail.dc.hol.net with SMTP; 18 Feb 2009 13:53:56 -0000
Received: from auth-smtp.hol.gr (takeit01.mail.dc.hol.net [192.168.20.71]) by deliver.hol.gr (8.12.11/8.11.6) with ESMTP (using TLSv1/SSLv3 with cipher DHE-RSA-AES256-SHA (256 bits) verified OK)
Received: from jobs.com (static062038146191.dsl.hol.gr [62.38.146.191]) by auth-smtp.hol.gr (8.13.1/8.13.1) with ESMTP Message-Id: xxxxxxxxxxxxxxxxxxxxxx@auth-smtp.hol.gr
From: hr@a945.g.akamai.net
Subject: Thank you for your application
Date: Wed, 18 Feb 2009 15:53:54 +0200

Random Posts

Previous Posts