Oftentimes we receive spammails or even what appears to be limited or targeted attacks. This is one of these.
The spam mail came in earlier today with the content as shown below:
The attached zip fil contains the malware:
Attached:
EFCC Petition.zip ->
File: EFCC Petition.scr
MD5: 46f03e16a0ab8bde63c3491773d8f590
When opened it drops a Word document spawning a shell: cmd.exe /c TempProforma.doc. See screendump below:
Interesting metadata from the document:
C:Documents and SettingsdotsukiMy DocumentsForms_WiPROFORMA.dot
The malcode is dropped as “sytem.exe”. Obviously the purpose of the malware is to steal various data through keylogging and harvesting data from eg. the clipboard and send it off to the attacker.
Communicates with:
sencosen.no-ip.biz -> 41.138.171.127 (Nigeria)
That specific IP adress have already been observed in numerous other incidents/abuse:
http://www.projecthoneypot.org/ip_41.138.171.127