14 DAY TRIAL // Security researchers from Belgian email security vendor MX Lab warn about a new wave of malicious emails that direct users to download scareware hosted at RapidShare.
According to MX Lab, the emails are sent from randomly spoofed addresses and their message is brief. The body only contains a link of the form http://rapidshare.com/files/[censored]/surprise.exe.
The file currently has a fairly low AV detection rate on Virus Total with 16 out of the 43 antivirus engines blocking it.
Some of the products detect it as a fake antivirus program, also known as scareware or rogueware, while others as a trojan downloader.
The scareware description would be more in line with MX Lab's analysis, which notes that the malware drops a 217103390.exe file (name can vary) in the Application Data folder and a "Security Shield.lnk" shortcut in the Programs one.
A startup registry key is also created under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce, to ensure that the program starts after a reboot.
The RunOnce keys are only meant to execute programs once and then delete themselves. Therefore it's likely that the application recreates this key each time after it runs.
Security Shield is a known family of fake antivirus programs that bombard users with bogus security alerts in an attempt to trick them into paying for a license.
Scareware distribution is a very profitable business for cyber criminals, which use the generated income to fund other illegal activities and pay for their infrastructure.
A quickGoogle search for this threat reveals reports of similar short emails which only distribute links to a file called surprise.exe hosted at RapidShare, going back to 2007.
In those cases, people reported that the rogue messages were sent from their email accounts to all of their contacts. It is therefore possible that compromised email boxes might be at play in this attack.
People are advised to exercise a lot of caution when dealing with emails that contain links, even when they appear to originate from trusted sources and especially when they point to .exe files.