Spammers use Paul Walker’s death to spread malware

It was only a few months ago that Paul Walker that left us in a fiery car accident. These days it is common for spammers and malware writers to use a celebrity’s death to spread malware.

In this case, it started with emails with links to a video of Paul Walker’s car on fire, but instead contained a link to a malicious file.

In the latest slew of emails, security expert Symantec claims the sender makes a plea to the victim to find a Dodge Viper GT that was supposedly racing with Paul Walker’s car. The email asks that anyone with information call a number in the email or open the attached file to view a picture of the Viper GT’s driver.

“In every sample we have dealt with there is always a promise of reimbursement or compensation for helping capture the Viper GT’s driver,” says Joseph Graziano, Symantec.

“These attacks are unique because of the regular change of subject lines and body text to bypass spam filters. The attacker tries to personalize the email with the recipient’s name in the body, subject, or attached file name.”

According to Graziano, each executable file is made specifically for the email address it is sent to and is compiled just before the email is sent. The sender’s email address is always an aol.com email account that has most likely been hacked or otherwise compromised. Whenever a user is compromised, their address book is harvested to continue the chain of personalized emails.

Once the malicious file has been executed an error notification is sent indicating that a 32-bit or 64-bit computer is needed to run the file. It may also indicate that the user does not have sufficient permissions to run the file even though the malware continues to run in the background.

The Trojan will start to perform DNS queries through a list of domains with similar names until the malware gets a DNS query return and then it will connect to that URL to download a file into the following directory:

“%UserProfile%\Application Data\amhldfbyjmg\kskzjmtypb.exe”

Once the file (kskzjmtypb.exe) is downloaded, it runs and connects to p9p-i.geo.vip.bf1.yahoo.com to download qr1aon1tn.exe. When this runs, it drops the following file:

“%UserProfile%\Application Data\amhldfbyjmg\fdxeuzv.exe”

Symantec detects this malware as Trojan Horse, advising users to be on their guard and to adhere to the following security best practices:

* Exercise caution when receiving unsolicited, unexpected, or suspicious emails

* Avoid clicking on links in unsolicited, unexpected, or suspicious emails

* Avoid opening attachments in unsolicited, unexpected, or suspicious emails

* Keep security software up-to-date

* Update antispam signatures regularly

Follow Us
on Google+
Sponsored

Review: Sony Xperia Z2

NetGuide Smartphones are all about compromise these days. Fitting a hi-res screen, camera and huge battery into increasingly lighter handsets isn’t easy, and usually, something has to give.   Read More →

Review: LifeTrak C410 Fitness tracker

NetGuide The C410 is a fitness tracker first and a watch second. Because of this it not only tells the time, but also tracks almost everything a fitness nut would need to know.
Amongst the many stats tracked are Steps. Calories are measured too as are distances covered. There’s a sleep tracking function, plus heart rate monitoring.   Read More →

Android App Review: Writing Prompts

NetGuide Writing Prompts is one of those obviously-named apps that gives you exactly what the name suggests and nothing more. If you want some help getting started with your creative writing, then the Writing Prompts app might be able to help.   Read More →