Fake Japanese Government Email Drops Backdoor

Symantec has just discovered a new spoofed email circulating in Japan after multiple local companies confirmed the fact that they had received emails apparently sent by a Japanese government agency. According to the security company, the email informs the receivers that the government has made some organizational changes and, in order to view them, they have to download and open two attached file. The files, 0414.xls and 0414.exe, are included into a ZIP archive.

The XLS file contains a list of names and addresses, Symantec explains. Although the information looks real, we can't know for sure if it's fake or not. "There is no evidence to suggest that any exploit attempts are made on this file," the security company states.

On the other hand, there's the executable file which conducts the whole exploitation process. 0414.exe is actually Backdoor.Darkmoon, a Trojan horse which "opens a back door on a compromise computer and has keylogging activities," as Symantec wrote in a security notification published on February 13, 2007.

"At the time of writing, we have seen several variants of Backdoor.Darkmoon associated with this spam attack. One variant saves stolen information as the filename msvidctl, sends it to the remote attacker, and awaits further commands from cyhk.****.org. Another variant sends information as the filename taskame to hi222.****.org and opens a back door to the same site," Shunichi Imano of Symantec informs.

Although I'm sure you know, I'll remind you once again: do not open emails coming from mistrusted sources and do not download and run attachments unless you're sure they're clean. Moreover, keep your antivirus up to date with the latest virus definitions and apply the latest security patches for your operating system. Sure, it's not mandatory but at least, you have a chance to remain on the safe side.