A fake funeral announcement email from someone like the Amos Family or Eubank Funeral Home claims you can find out more information for the memorial service by clicking a link.
The link goes to a compromised server run by the Asprox botnet, which may give you a kuluoz / dofoil trojan horse or other virus.
Doesn't spoof anything in particular, but usually the Envelope header matches the From header.
Subject: Death notification
The Amos Family
Hereby we want to share your sorrow for your dear friend who passed away on Friday, January 10, 2014.
You are cordially invited to express your sympathy in memory of your friend at a celebration of life service
that will be held on Monday, January 13, 2014 at the Ocker Funeral Home, Arkansas.
Please find more detailed information about the memorial service here.
Funeral Home Secretary,
Subject: Death notification
Funeral Home & Cremation Services
For this unprecedented event, we offer our deepest prayers of condolence and invite to you
to be present at the celebration of your friends life service on Thursday, January 17, 2014
that will take place at Eubank
Funeral Home at 11:00 a.m.
Please find invitation and more detailed information about the farewell ceremony here .
Best wishes and prayers,
Funeral home receptionist,
Copyright 2014 Funeral Home Website Design By: Frazer Consultants LLC
More info as it comes, but mostly doesn't spoof anything. In true asprox fashion, an email is consistent in From, Envelope, and HELO.
From: The_Amos_Family <Alpesh @spacestem.com>
Received: from mailer.xnote.com [22.214.171.124] X-Envelope-From: raymond @xnote.com From: Eubank Funeral Home <raymond @xnote.com> Subject: Death notification
The order link will go to some compromised website that, IF YOU USE THE RIGHT USER-AGENT, MAY provide you a zip file download containing an exe file. The asprox botnet has also been known to send Android-specific malware in the form of an .apk file if you use an Android user-agent, although it has been a while since we've seen that.
Using the wrong user-agent (eg. Mac or Linux) or no user-agent will get you no response, or a fake 404 not found error, or something like that.
thermorisecoil.com /box /z1KjMeIqtVzUG4foXEtmqehzrh5R63HCprglJMghxBo= /Funeral
mconnectsolutions.com /message /mhZneJfpSrH7ko//5zFBoQ0VYYn13DXPC4C4Ghmzfx8=/FuneralInvitation
The link, if the user-agent is right (Internet Explorer or sometimes Windows+Firefox), can give you a zip file containing an exe that is sometimes named with your city and zip code. They get that information from your ip address and a geo-ip database or service.
ESET-NOD32 a variant of Win32/Kryptik.BSLS
PE signature block Description Krebs Systems
Packers identified PEiD UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
The executable is compressed using UPX
Checks for the presence of known windows from debuggers and forensic tools
Drops: C:\Documents and Settings\Administrator\Local Settings\Application Data\fmrlamjh.exe
Data Obfuscation: Binary may include packed or encrypted data, Sample is packed with UPX
HIPS / PFW / Operating System Protection Evasion
Anti Debugging: Checks for kernel debuggers, Creates guard pages
Virtual Machine Detection: Binary or memory string: VBoxTray.exe, VMwareDragDetWndClass, VBoxService.exe
Hooking and other Techniques for Stealthness and Protection
Lowering of HIPS / PFW / Operating System Security Settings: Binary or memory string: wireshark.exe
Language, Device and Operating System Detection: Queries the volume information
If this was at least a little helpful, how about a +1, Like, or Tweet?