14 DAY TRIAL // Another form of IRS malware campaign has been spotted in the wild and even though the message is new, the way it functions remains the same.
Unsuspecting victims receive an email which seems to come from the much-feared institution with the subject “Federal Tax Report,” containing a message that reads something like “There are arrears reckoned on your account over a period of 2010-2011 year. You will find all calculations according to your financial debt, enclosed. Sincerely, IRS”
I must admit that the “Sincerly, IRS” signature adds a touch of class to the whole sham, making the agency look more humane.
AppRiver monitored 10 thousand of these emails being quarantined hourly in the past period, each containing an attachment named something like Calculations_#54585.zip.
The calculations.exe found in the archive opens a communication gateway with the falcononfly2006.ru location. A request to this location further infects the victim device with a piece of malware called Trojan.Yandere, usually associated with fake anti-virus software.
Rogue AV programs constantly alert the user of a system infection, demanding payment for the removal of the virus or for the fix of the error.
These malicious elements are not easy to uninstall so be extra careful when opening an attachment, especially when it comes from an institution that rarely works with online methods. New techniques also allow hackers to spoof an email address so even if it seems to be coming from a friend or a trusted company, treat everything with suspicion as you never know what might be hiding in an innocent looking zip file.
Also, make sure you have an up-to-date anti-virus solution as these usually detect even the newest pieces of malware.
If by mistake you do get stuck with a fake AV, in order to remove it, you can use an anti-spyware application or you can delete it manually. To do this you must end the process that powers the virus, then remove its entries from the registries to make sure no trace of it is left.