Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter


A fake Eviction Letter or Eviction notice  claims that your tenancy of the premises is terminated and you may be held criminally liable or forcibly removed.

Attached zip file contains an exe virus or trojan horse.

Spoofs some law firm domain like,,,,,,,, or a fake law firm in the email headers.

Keep in mind that Perkins Coie / Davis Polk & Wardwell /  Littler Mendelson / Kirkland & Ellis / Mayer Brown / Wilmer Cutler Pickering Hale and Dorr / Morrison & Foerster / Norton Rose Fulbright are real law firms and these emails are not from them.

This is an Asprox botnet email spreading Kuluoz / Dofoil malware.

Later versions claimed to be from property management companies or insurance companies.

Subject:  Notice to exit the premises No6855

Subject: Evition notice No0393

Subject: Eviction notification No6741

Subject: Urgent eviction notice No4117

Subject:  Vacate notice No5155

Eviction letter,

You are hereby notified that your tenancy of the premises specified
in the attachment to this letter is terminated on 03/26/2014 and on that day
you will be required to quit the occupied premises.

If you do not move until the specified date you will be fined
and held administratively or criminally liable.

Court bailiff,
Ava Tailor

Lawsuit_Details (110)

Subject: Notice to quit No2352

Eviction Notification,

Please be advised that you are obliged to
vacate the living space you occupy until March 27, 2014, 11 a.m.

If you do not vacate it in the specified terms,
the court will have to assign the forcible eviction for April 24, 2014, 11 a.m.
If nobody is home we will not be responsible for safe keeping of your belongings.
Besides, if you fail to comply with the requirements of the court bailiff
you will be fined for up to 200 minimum wage amounts
with a subsequent doubling of the penalty amount
and can be made criminally or administratively liable.

The details of the circumstances that caused the judicial decision
of eviction are attached herewith.

Court bailiff,

Subject: Notice to quit No6505

Eviction notification,

You are hereby given notice that you are in breach
of your tenancy of the premises you currently occupy.

To remedy the breach you have to quit
the premises within the following four weeks.

If you fail to comply you will be physically removed
and fined for up to 100 minimum monthly wages.

Detailed information is attached herewith.

Court secretary,

Lawsuit_Details (110)

Subject: Notice of eviction No5957

Notice to quit,

We regret to inform you that in the period until 04/25/14
you will have to relocate from the currently occupied premises.

If the property is not timely vacated we will have to apply sanctions against you.

Case details are attached to the present notice.

Court secretary,

Lawsuit_Details (108)

Subject: Eviction notification No1110

Eviction Notification,

Be advised that you must exit the occupied premises
until March 03, 2014 or be forcibly removed!

Any resistance will be met with strict legal sanctions
or forcible removal of your family from your home.

Find a copy of the vacate notice in the attachment to this notification.

Court representative,
PALMER Graves (108)

Subject: For the Attention of Household Member

Notice to move out,

As you have been failing to keep your payments
for the property, the bank has decided to foreclose on it
and now you are legally considered a trespasser.

First of all, you have to contact our office in order
we could make all arrangements for your move out
in the allowed time.
It is vital you contact us before March 20, 2014.

Enclosed are the bank resolution and our contact details.

Real estate agency,
Diana Smith (103)

Header Examples:

Spoofs some law firm like in headers. Asprox tends to be consistent in From, Envelope, and HELO. This series will iterate through several law firms, as well as some made-up ones.

Received: from []
X-Envelope-From: support048
From: "Eviction Letter" <support048>
Subject: Eviction notification No6741

Received: from ( [] X-Envelope-From: service_notice From: "Eviction Notice" <service_notice> Subject: Notice to quit No9269

Received: from ( [] X-Envelope-From: support.3 From: "Eviction Notification" <support.3> Subject: Vacate notice No6610

Received: from ( [] X-Envelope-From: manager From: "Notice to quit" <manager> Subject: Urgent eviction notification No6566

Received: from ( [] X-Envelope-From: information From: "Eviction Letter" <information> Subject: Notice to quit the occupied premises No7559

Received: from ( [] X-Envelope-From: service From: "Vacate Notice" <service> Subject: Urgent eviction notice No0173

Received: from ( []
X-Envelope-From: notice_support.4
From: "Eviction Notification" <notice_support.4>
Subject: Eviction notification No1110

Received: from ( [] X-Envelope-From: notice_support.6 From: "Notice to move out" <notice_support.6> Subject: For the Attention of Household Member

An interesting artifact may be that the Windows NetBios name or hostname will be in the Message-ID header.

Message-ID: <000d01cf1e88878ac7b24701a8c0 @columbia-08>
Message-ID: <000e01cf1e94c069620a9101a8c0 @LoveonaHanger>
Message-ID: <002601cf1e8f75130ecd0201a8c0 @Raysjoy-PC>
Message-ID: <001401cf1e8b3dc484e81407180a @HPT-CIRC-2>
Message-ID: <002801cf1e8226f51c660200a8c0 @Art-PC>

Attachment Samples:

31 January 2014

Lawsuit_Details containing Copy_Lawsuit_Details _Court _Bailiff.exe | VirusTotal report | report  

1 March 2014

VirusTotal report 

AntiVir 		TR/Dldr.Kuluoz.D.1281 	
BitDefender Trojan.Agent.BBYG
Bkav HW32.CDB.613e 20140228
CMC Packed.Win32.Obfuscated.4!O
Commtouch W32/Trojan.LZKC-0559
DrWeb BackDoor.Kuluoz.4
ESET-NOD32 Win32/TrojanDownloader.Zortob.B
Emsisoft Trojan.Agent.BBYG (B)
F-Prot W32/Trojan3.HPZ
F-Secure Trojan.Agent.BBYG
GData Trojan.Agent.BBYG
Microsoft TrojanDownloader:Win32/Kuluoz.D
Panda Suspicious file
Qihoo-360 Malware.QVM20.Gen
Rising PE:Malware.FakeDOC@CV!1.9C3B
Sophos Troj/Weelsof-CS
VIPRE Trojan.Win32.Generic!BT report 

not much here because kuluoz trojans avoid virtualbox report 

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Drops: C:\Documents and Settings\Administrator\Local Settings\Application Data\dfitsjkj.exe
Binary may include packed or encrypted data
Creates mutex: \BaseNamedObjects\2GVWNQJz1
Detects virtual machines to hinder analysis (VM artifact strings found in memory)
Binary or memory string:
AV process strings found (often used to terminate AV products)
Binary or memory string:
Queries the cryptographic machine GUID
Queries the installation date of Windows
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device

About those attachments.

Asprox has always been big on keeping it fresh. They like to make a small change to the exe file so that it scans like new to many anti-virus suites. In the last couple months it seemed like they went to a 3-times-a-day schedule where malware would be a new version. As of around 1 February 2014, it looks like almost EVERY exe is a little different. The basic functionality of the trojan is generally unchanged though: gain control of your computer.

Attached files examples and spoofed domains

More about Asprox

   Kimberly at on asprox

   Michal Ambroz at Rebus Snippets on asprox

   Herrcore's post on asprox

What happens when Asprox has control of your computer?

Among other things:

  Your computer can be used to spam more people with malware.

  Your computer can be used to commit advertisement fraud.

Samples provided to Clam AV and Microsoft Security when this article was created.

If this was at least a little helpful, how about a +1, Like, or Tweet?