by Barracuda Labs
Barracuda Labs spam monitoring systems have picked up a massive new spam campaign whose messages pretend to be output files from a popular Xerox office copier.
Hundreds of thousands of these messages are circulating around the globe, titled Scan from a Xerox WorkCentre Pro and containing a single .zip file attachment tagged with a random number that helps them avoid detection by anti-spam technology. In fact, Virus Total calculates detection rates at around 19.5% as referenced by certain TechHerald employees today.
The message format closely mimics the one used by a real Xerox WorkCentre Pro, except for one detail – Xerox scanners do not email their outputs using the .zip format. The WorkCentre Pro from Xerox typically scans documents to PDF, email or FTP accounts.
The message text claims that the attachment is a zipped .doc file, and the .zip file itself hides the true extension of the file contained within.¬† It is not until you go to open the file that you see its true nature.¬† It is an executable and it is not scanner output – it is a variant of Trojan Oficla.
Choosing¬† Run (which you should not do) seems to do nothing at all – the Trojan runs but does not display any decoy image.¬† Rather, it simply installs itself and gets to work in the background downloading other malware.
Samples executed at Barracuda Labs quickly start up a Spambot which sends out more copies of the same message.
As always, never trust unexpected emails, and in particular, never press the “Run” button unless you are 100% certain of what you are doing.¬† Word documents are “opened” and they are not “run” at any time. And, of course, always keep your security software updated on your system. If this message lands in your inbox, please delete and make sure to spread this message with your friends and colleagues.
Barracuda Spam & Virus Firewall customers are protected from this attack.