Statement of Fees Malspam Campaign (AV XP 2008)

A couple of minutes ago another round of spam messages appeared claiming to provide information concerning a statement of fees recently posted (inferring to banking account fees). The message contained an attachment with a fake Microsoft Word Document which actually is an executable (Fees-2008_2009.doc.exe) that installs a Trojan Downloader.

Further analysis indicates that the Trojan when installed connects to a php page hosted on a Russian domain to obtain several possible sites as a means of downloading the installer for AntiVirus XP 2008. The actual URLs are contained within this script and the file which is downloaded is lspr.exe (MD5 ffccd0518b04354532c733674c0faa00) and is identified as Adware/AVXP2008.

This entry was posted on Thursday, August 28th, 2008 at 12:28 am and is filed under Malware analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

10 Responses to “Statement of Fees Malspam Campaign (AV XP 2008)”

  1. Marco Says:
    August 28, 2008 at 2:50 am

    I believe the website and the files are three: lspr.exe, scan.exe and kashir.exe.

  2. Ryan Sherstobitoff Says:
    August 28, 2008 at 2:54 am

    Marco,

    I have noticed that the lspr.exe file is the installation executable for the rouge Anti-virus XP 2008 that is called from the file when running. This is a similar behavior to what was seen on Trj/Exchanger that was simply a process to initiate the download. Statistically speaking AV XP 2008 has been seen in a number of malspam campaigns over the last couple of weeks (CNN Alerts, MSNC Alerts, Fake IE 7.0, Fake Windows Malicious Software Removal tool, etc).

  3. Marco Says:
    August 28, 2008 at 3:03 am

    Ryan,

    I was only referring to your ’several’ and ‘only’ statement.

  4. Ryan Sherstobitoff Says:
    August 28, 2008 at 3:20 am

    Right, there are several web-sites that essentially host content in which this Trojan downloads from.

  5. [VIRUS] RE: Statement of fees 2008/09 « Visible Procrastinations Says:
    August 29, 2008 at 2:51 pm

    [...] Statement of Fees Malspam Campaign (AV XP 2008) (2008-Aug-28) [pandasecurityus] [...]

  6. Michelle Says:
    September 10, 2008 at 6:14 am

    We keep getting pop ups/alerts from the XP 2008 antivirus literally every1.5 minutes! How can we get rid of it?

  7. christophe Says:
    September 11, 2008 at 11:09 am

    Could you tell me if I am secured with Panda latest version against statement of fees virus?

  8. On-Site-Solutions.com » Blog Archive » Statement of Spam Says:
    September 11, 2008 at 8:43 pm

    [...] More information Panda Security [...]

  9. Ryan Sherstobitoff Says:
    September 11, 2008 at 10:36 pm

    Yes all Panda users are protected against this virus.

  10. Ryan Sherstobitoff Says:
    September 11, 2008 at 10:37 pm

    Christophe you can go to http://www.infectedornot.com and we have a free cleaning tool that will remove the XP AV 2008.

Leave a Reply