This is a good one – came in this morning…no text at all, just an image in an email:
When the hell is the 27th of Juny? And the entire image is a link to www.annehelene.fr/XXXXXXXXXX.htm – the Xs are likely changed for every email, etc. If you mistype the link or go to the root of the site you get this – a seemingly legit French cooking site:
But if you go to the actual link from the email, you get a nice zip file to download…with a “USPSLabel PDF attachment” – the joke is that Acrobat is not even installed on this system:
Being the good user that I am, I launch the ‘USPSLabel PDF File’…first there’s a service host started – and if you notice it was started as a child of explorer…sign number 1:
Then I also noted an autostart for some random executable that was dropped:
Then the fun starts- more children processes!! YAY!!
It should be noted that the service host process has a connection open to an address that resolves to the Netherlands:
Then the usual fun begins – oh no! I’m infected!!!!
Nice! Live Security Platinum!!! Interestingly, taskkill won’t kill either of the processes…but ProcExp (and even good old TaskManager) can kill the processes.
Long story short: Never click any links in your email…and if you do, DO NOT DOWNLOAD ANYTHING EVER!!!!!!