Statement of Fees Malspam Campaign (AV XP 2008)

A couple of minutes ago another round of spam messages appeared claiming to provide information concerning a statement of fees recently posted (inferring to banking account fees). The message contained an attachment with a fake Microsoft Word Document which actually is an executable (Fees-2008_2009.doc.exe) that installs a Trojan Downloader.

Further analysis indicates that the Trojan when installed connects to a php page hosted on a Russian domain to obtain several possible sites as a means of downloading the installer for AntiVirus XP 2008. The actual URLs are contained within this script and the file which is downloaded is lspr.exe (MD5 ffccd0518b04354532c733674c0faa00) and is identified as Adware/AVXP2008.

Advertisements

10 Responses to Statement of Fees Malspam Campaign (AV XP 2008)

  1. Marco says:

    I believe the website and the files are three: lspr.exe, scan.exe and kashir.exe.

  2. Marco,

    I have noticed that the lspr.exe file is the installation executable for the rouge Anti-virus XP 2008 that is called from the file when running. This is a similar behavior to what was seen on Trj/Exchanger that was simply a process to initiate the download. Statistically speaking AV XP 2008 has been seen in a number of malspam campaigns over the last couple of weeks (CNN Alerts, MSNC Alerts, Fake IE 7.0, Fake Windows Malicious Software Removal tool, etc).

  3. Marco says:

    Ryan,

    I was only referring to your ‘several’ and ‘only’ statement.

  4. Right, there are several web-sites that essentially host content in which this Trojan downloads from.

  5. […] Statement of Fees Malspam Campaign (AV XP 2008) (2008-Aug-28) [pandasecurityus] […]

  6. Michelle says:

    We keep getting pop ups/alerts from the XP 2008 antivirus literally every1.5 minutes! How can we get rid of it?

  7. christophe says:

    Could you tell me if I am secured with Panda latest version against statement of fees virus?

  8. Yes all Panda users are protected against this virus.

  9. Christophe you can go to http://www.infectedornot.com and we have a free cleaning tool that will remove the XP AV 2008.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: