Fifteen minutes ago we detected this new spam message in circulation that appears to come from Carrington Mortgage Services LLC. The message informs the recipient that a payment of $8844.80 has been made from their checking account to this mortgage company. In addition the user is asked to download a .ZIP file containing an invoice of this payment (this is a Banker Trojan). However, what’s interesting about this particular spam message is that it forces the user to enter a password of “invoice” to decrypt the file, likely a strategy to defeat gateway scanners.
When the attachment is opened, an executable is present appearing to look like an Excel document (when someone has the option in Windows to hide extensions of known file types, it could easily appear to someone as an Excel doc).
|File size: 58368 bytes|
|PEInfo: PE Structure information( base data )
timedatestamp…..: 0x4806e3fb Thu Apr 17 05:45:31 2008
machinetype…….: 0x14c (I386)( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1010 0x1200 2.80 2b47bcb94b4842dbad7d705a4edde293
.data 0x3000 0x22b9b 0xc800 7.60 ded2450cbafedda4dfe1d972a0e701f2
.reloc 0x26000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x27000 0x1000 0x600 4.66 0552eaf398afb9100b608d74807bcad7
( 1 imports )