Some cleverly designed emails, purporting to originate from Symantec, have been seen doing the rounds in the past few days. They attempt to trick recipients into downloading a malicious removal tool.
Experts from Websense have analyzed
these emails and determined that they seem to come from various spoofed email addresses such as: email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
Although, currently, this is only a low-volume campaign, the official-looking addresses combined with the well-designed notification could easily ensure it a high success rate.
Inside the body of the email there’s a message that reads “Scanning system.” Once this fake scan is complete, a warning notifies the victim that a piece of malware called W32.Swizzor.C-WORM
is present on the computer.
The download link that apparently leads to an application that can be utilized to remove the threat serves RemovalTool.exe
A closer look at the app has revealed that it connects to a command and control server to download other malicious executable files.
We advise users to take a good look at the sample and avoid such emails as much as possible.