The Answer to the ‘Profile Question’ Is a Trojan Horse

Dutch speaking users are targeted these days in a spam campaign that tries to confuse them in order to get them to click on a link.

“Good morning, The answer to your question about the profile on the website 30.11.2011. [LINK] We are pleased to collaborate in the future,” reads in Dutch the sample provided by Mxlab.

The link contained in the notification points to a malicious location that was discovered to host a Trojan horse identified by Symantec as Downloader.Dromedan. Dromedan will execute files, create registry subkeys and inject itself into the svchost.exe process in the attempt of contacting some Russian servers.

Fortunately, most security solutions providers detect the threat and the websites the links point to were blocked. But as a precaution, users are advised to avoid such emails since the domains can easily change and the threat can always be replaced with something that’s undetected by antivirus programs.