Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter


A fake WhatsApp email claims you missed a voice message and wants you to download it in the attachment.

Attached zip file contains an exe virus or trojan horse.

Spoofs or others in headers.

While the ASPROX botnet made WhatsApp fashionable to fake for malware emails, THIS series is from cutwail spambots, not Asprox bots.

Subject:  Missed voice message, "6:28"PM


New voicemessage.

Please download attached file
Jan 09 1:25PM PM
08 seconds

Whats App (12)

 Picture of fake WhatsApp virus email with attachment.

Header Examples:

Spoofs in From headers, and something else like left in Envelope from previous spam campaign. classifies these as cutwail spambots.

Received: from []
X-Envelope-From: service
From: "WhatsApp Messenger" <ctaylor>
Subject: Missed voice message, "3:26"PM

Received: from 253.192/ []
X-Envelope-From: status-update
From: "WhatsApp Messenger" <ctaylor>
Subject: Missed voice message, "3:28"PM

Received: from []
X-Envelope-From: no-reply
Subject: Missed voice message, "6:42"PM
From: "WhatsApp Messenger" <ctaylor>

Received: from []
X-Envelope-From: service
From: "WhatsApp Messenger" <ctaylor>
Subject: Missed voice message, "3:32"PM

Attachment Samples: containing Missed-message.exe

VirusTotal report 

Commtouch 			W32/Trojan.GGLJ-3673 	
ESET-NOD32 a variant of Win32/Kryptik.BSXR
F-Prot W32/Trojan3.HDX
McAfee Artemis!7B6B62F144C0
McAfee-GW-Edition Heuristic.LooksLike.Win32.Suspicious.J!81
Microsoft TrojanDownloader:Win32/Upatre.A
Sophos Mal/EncPk-ZC
TrendMicro PAK_Generic.001 report  

Starts servers listening on,,
Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Operates on local firewall's policies and settings
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

Contacts via tcp:

From the PCAP file, UDP traffic:

These addresses had back and forth udp communications. ITALY JAPAN

These addresses were sent udp but never answered back KOREA, REPUBLIC OF SLOVENIA report

Drops: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\budha.exe
Reads the hosts file, Enables driver privileges
Checks for kernel debuggers
Contacts: Panama European Union

Samples provided to Clam AV and Microsoft Security when this article was created.

 If this was at least a little helpful, how about a +1, Like, or Tweet?