Don't Trust Emails Warning That 'Your Internet access is going to get suspended'

Sophos warns against new spammers' attack threatening recipients to be disconnected from the Internet due to illegal activities (e.g. pirating software, movies, music etc.). Most probably many users have already been frightened when they saw the following subject line in their inbox: "Your Internet access is going to get suspended" coming from "ICS Monitoring Team".

Below is a screenshot of a sample email belonging to this spam campaign:

Senders of these emails claim that a report of recipient's illegal activities in the past six months is documented in the attached .zip file called user-EA49943X-activities.zip. In the extracted file one will find user-EA49943X-activities.exe. Security experts note that file names can be different with each email.

However, as soon as recipients open the attached file, their computers will be infected with Trojan designed to establish communication with remote hackers. Cyber criminals will now be able to break into user's computer and use it for their own criminal financial purposes.

The malware registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe. The files cabpck.dll (known as theMal/TinyDL-T by Sophos), k86.bin and krnlcab.sys (known as the Backdoor:Win32/Haxdoor by Microsoft)) are created in the %System% folder. A directory %Temp%\msi_setup will be created and a new connection with some host is made: http://****-****.biz/jerke/data.php?trackid=706172616D3D6 or http://*****.net/22/data.php?trackid=7061 72616D3D636D64266C616E6.

According to Virustotal, a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines, notes that only 8 of the 36 (22.22%) anti-virus engines can currently detect this Trojan. A list of these engines and the title of identified threat are provided below:

• Authentium 5.1.0.4 - W32/Trojan3.T
• AVG 8.0.0.161 - SHeur.CIKH
• eSafe 7.0.17.0 - Suspicious File
• F-Secure 8.0.14332.0 - Suspicious:W32/Malware!Gemini
• Ikarus T3.1.1.34.0 - Win32.Outbreak
• Sophos 4.33.0 - Troj/Meredrop-A
• TrendMicro 8.700.0.1004 - PAK_Generic.001
• VBA32 3.12.8.5 - suspected of Malware-Cryptor.Win32.General.2

Everybody is recommended to keep their anti-virus software up-to-date and do not trust any unsolicited emails no matter how serious they may look. Even though you have been pirating software, video or music (what is, as you should know, illegal), don‘t allow spammers to trick you!