Scanned Image from a Xerox WorkCentre - Virus

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

A fake Xerox WorkCentre, WorkJet Pro (or other scanner / copier) malware scam email looks like it comes from your domain, claims it is a scanned image. Sometimes FROM suggest an HP scanner.

Attachment is a virus or trojan in a zip file.

Some variants have links instead, going to malicious websites.


Subject: Scanned Image from a Xerox WorkCentre

Subject: Re: Fwd: Re: Scan from a Xerox W. Pro #583932

Subject: Re: Fwd: Fwd: Scan from a Xerox W. Pro #13887733

Subject: Scan from a Xerox WorkCentre

Subject: Scanned from a Xerox Multifunction Device

Reply to: scanner@[my domain].com
Device Name: Not Set
Device Model: MX-8564N
Location: Not Set

File Format: PDF (Medium)
File Name: Scan_12-12-2012-23.zip
Resolution: 200dpi x 200dpi

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http:// www.adobe.com/

Scan_12-12-2012-23.zip (93)

  

Reply to: Xerox.WorkCentre@[my domain].com 
Device Name: Not Set
Device Model: Scab-9396N
Location: Not Set

File Format: PDF (Medium)
File Name: Xerox_Scan_06-04-2013-390.zip
Resolution: 200dpi x 200dpi

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http:// www.adobe.com/

Xerox_Scan_06-04-2013-390.zip (82)

 

A Document was sent to you using a XEROX WorkJet PRO 0388000550.    
SENT BY : WINIFRED IMAGES : 6
FORMAT (.JPEG) DOWNLOAD

 

Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: [your domain]
Number of Images: 4
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: T6I4C2FRS5

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following
URL: http:// www.adobe.com/

Scan_883_19198206262013.zip (137)

 

Please download the document.  It was scanned and sent to you using a Xerox multifunction device.

File Type: pdf
Download: Scanned from a Xerox multi~8.pdf

multifunction device Location: machine location not set
Device Name: Xerox7723

For more information on Xerox products and solutions,
please visit http:// www.xerox.com

Scan_002_28378181_129.zip (16)

Headers samples:

Usually no HELO spoofing, Envolope spoofing whoever is cool at the time (NACHA, Fiserv, HSBC.co.uk, aexp.com). FROM header spoofing your domain so you will think it came from your Xerox machine. Securebank.com is a common one to see.

cbl.abuseat.org usually classifies these as cutwail spambots.

Received: from ...ologies-pa.hfc.comcastbusiness.net [70.89.52.138]
X-Envelope-From: ach-status @nacha.org
From: Xerox WorkCentre <Xerox.Device7 @[my domain].com>

Received: from fiserv.com ([222.124.204.178]
X-Envelope-From: notification @fiserv.com
From: Xerox WorkCentre <Xerox.Device4 @[my domain].com>

Received: from aexp.com [122.248.121.28]
X-Envelope-From: fraud @aexp.com
From: "Administrator" <Administrator @[your domain]>
Subject: Scan from a Xerox WorkCentre

Received: from ...nnesota.hfc.comcastbusiness.net [75.146.36.186]
X-Envelope-From: notification @fiserv.com
From: Xerox WorkCentre <Xerox.Device5 @[my domain].com>

Received: from ...ngton.hfc.comcastbusiness.net [66.208.251.141]
X-Envelope-From: ach.status @nacha.org
From: Xerox WorkCentre <Xerox.Device3 @[my domain].com>

Received: from ....1-225.static.3bb.co.th [110.164.71.225]
X-Envelope-From: service @fiserv.com
From: Xerox WorkCentre <Xerox.Device9 @[my domain].com>

Received: from 96-25-236-161.nyc.clearwire-wmx.net [96.25.236.161]
X-Envelope-From: service @nacha.org
From: Xerox WorkCentre <Xerox.Device9 @[my domain].com>

Received: from 068-213-247-146.sip.mia.bellsouth.net [68.213.247.146]
X-Envelope-From: ach-status @nacha.org
From: Xerox WorkCentre <Xerox.Device1 @[my domain].com>

Received: from ...09.in-addr.dolandirectional.com [209.33.165.82]
X-Envelope-From: support @nacha.org
From: Xerox WorkCentre <Xerox.Device4 @[my domain].com>

Received: from 71-86-45-66.static.stls.mo.charter.com [71.86.45.66]
X-Envelope-From: notification @ato.gov.au
From: Xerox WorkCentre <Xerox.Device5 @[my domain].com>

Received: from ...7-202.nwblwi.dedicated.static.tds.net [74.87.95.130]
X-Envelope-From: Order @staplesadvantage.com
From: Xerox WorkCentre <Xerox.Device2 @[my domain].com>

Received: from c-69-180-113-209.hsd1.fl.comcast.net [69.180.113.209]
X-Envelope-From: Orders @staplesadvantage.com
From: Xerox WorkCentre <Xerox.Device7 @[my domain].com>

Received: from securebank.com [181.48.64.74]
X-Envelope-From: message @securebank.com
From: Xerox WorkCentre <Xerox.Device4 @[my domain].com>

Received: from dnb.com ([41.84.156.26]) X-Envelope-From: alert @dnb.com From: "HP Digital Device" <HP.Digital4 @[my domain].com>

Received: from rrcs-64-183-233-39.sw.biz.rr.com [64.183.233.39] X-Envelope-From: alert @dnb.com From: "HP Digital Device" <HP.Digital6 @[my domain].net>

Attachment example:

2 July 2014

Scanned from a Xerox Multifunction Device.zip containing Scanned from a Xerox Multifunction Device.exe

VirusTotal report 

Qihoo-360 	Malware.QVM07.Gen
Rising PE:Malware.XPACK-HIE/Heur!1.9C48

LegalCopyright : Free license 2011
InternalName : Dodofot
FileDescription : Dodofer Application
OriginalFilename : dodofer.exe
CompanyName : Dodofot
ProductName : Dodofot Application

Malwr.com report 

Installs itself for autorun at Windows startup

Anubis report 

Files Created: 	 
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OdigItzah
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OdigItzah\IwdoDwefk.dat

Directories Created:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OdigItzah

Files Renamed:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OdigItzah\
to
C:\Documents and Settings\All Users\Application Data\IwdoDwefk

Keyboard Keys Monitored:
VK_ESCAPE (27)

Mutexes Created:
CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500M.....

9 January 2014

Scan_091_20140901_001.zip containing Scan_091_20140901_001.exe | VirusTotal report | Malwr report | File-Analyzer.net report

20 December 2013

Scan_001_12202013_911.zip containing Scan_001_12202013_911.exe | VirusTotal report  | Malwr.com report  | File-Analyzer.net  report

15 Oct 2013

VirusTotal report | Malwr.com report

April 2013

Xerox_Scan_04-29-2013-159.zip containing Xerox_Scan_04-29-2013-159.exe | VirusTotal report | Malwr.com report


Advice for organizations with network scanners:

Utah State University's IT department has some good advice for those of us with networked multi-function scanner devices. Quoting [redacted], USU IT Sec:

We insure that all of our locally installed multifunction devices are 
customized so that scan-to-email messages have:

1) subject with sending office name instead of device brand
2) reply address that identifies the office
3) recognizable building location of the device
4) message body customized to include contact information for the sending office

As a result, our recipients tend to be a little bit skeptical of scan-to-email
messages with the factory default message format.

 If this was at least a little helpful, how about a +1 or a Like?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity