Aug 20, 2010 20:34 GMT  ·  By

A new wave of spam emails purporting to be automated messages sent by Xerox WorkCentre Pro machines are distributing a trojan from the Oficla family of malware.

The WorkCentre Pro is a rather popular series of multifunctional devices incorporating copying, printing, scanning and faxing functions manufactured by Xerox.

The devices, which are typically used in companies and other organizations, have the ability to automatically send emails with scanned copies of documents.

It looks like malware pushers have copied the scanner's email template again and used it to craft infected emails that look familiar to a lot of people in office environments.

"MX Lab intercepted some emails with the subject 'Scan from a Xerox WorkCentre Pro N 6204257' that contains the latest Oficla trojan variant," the Belgian email security vendor, advises.

The last part of the subject can vary, the MX Lab researchers seeing variants that end in "$6208924," "#7943943" and "N9700617."

However, the email's body remains unchanged and is identical to the one used in a previous spam run, that we reported at the middle of last month.

code
Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set
Device Name: XRX6919AA7ACDB46116749

For more information on Xerox products and solutions, please visit

http://www.xerox.com
The malicious attachment is called "Tax report.zip" and contains an Xerox_doc.exe file, which if executed, installs a variant of the Oficla computer trojan. Yesterday only 10 in 42 antivirus programs on VirusTotal detected this sample as malicious.

The unfortunate users, who fall victim to this threat, will probably start receiving fake security alerts that recommend a rogue antivirus product soon after infecting themselves. That's because Oficla is being used as a scareware distribution platform.

The practice of abusing familiar email templates in order to trick users is one that we've seen used a lot recently. Users are advised to exercise a lot of caution when visiting links in emails or opening attachments, even if they appear to be sent by a trusted source.