14 DAY TRIAL // A new email malware distribution campaign has adopted a lawsuit notification theme. The fake messages include links to malicious files or hide them inside attached documents.
The purpose of this scheme is to scare users into downloading and installing a trojan onto their computers, especially since the alleged lawsuits are related to copyright infringement. Sending legal action threats via email is a common method of discouraging illegal file sharing, which makes this kind of messages even more credible.
The first sentence in the fake emails is different, depending on whether they direct users to a link or have a document attached. The name of the cited plaintiff and that of the attorney who allegedly signed the message can also differ. Reputed law firms such as Marcus Law Center and Crosby & Higgins are falsely presented as being senders of the bogus lawsuit notifications.
"To Whom It May Concern: On the link below/Enclosed is a copy of the lawsuit that we filed against you in court on March 15, 2010. Currently the Pretrail (sic.) Conference is scheduled for April 15th, 2010 at 10:00 A.M. In courtroom #12. The case number is [number]. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infringement that our client [company name] is a victim of. [Company name] has proof of multiple Copyright Law violations that they wish to present in court on April 15th, 2010," the messages read.
"The first sample contains an embedded link to a copy of the 'lawsuit' while the second has a .DOC file attachment that contains details of the said 'lawsuit.' Clicking the link or opening the file attachment, however, led to the download of malicious files detected by Trend Micro as TROJ_AGENT.STM and TROJ_DLOADR.AUI instead of more details on the supposed lawsuit," security researchers from Trend Micro, who analyzed this spam campaign, warn.
Meanwhile, antivirus experts from Sunbelt point out that a similar technique of hiding infected .EXEs in documents has been observed in a different email spam run. When opening the attached .DOC files, users are presented with the icon and name of what appears to be a .PDF document. However, the image is linked to an embedded executable file.
Users are advised to exercise increased caution when faced with the decision of opening links or attachments in emails. Yesterday evening, this malware had fairly low AV detection rate, with only 13 out of 41 antivirus engines on VirusTotal being able to block it.
