Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter


A series of fake Scottish Courts emails claims you are scheduled to appear for a hearing in court.

Attached zip contains an exe virus or trojan horse.


These are copy-cat emails, essentially using the older Asprox "notice to appear" email.

Subject:  Notice to appear in court XU#4553

Subject:  Notice to appear in court TO#6699

Subject: Notice to appear in court KV#0242

Notice to Appear,

Hereby you are notified that you have been scheduled to appear for your hearing that will
take place in the court of London in March 15, 2014 at 10:00 am.

Please bring all documents and witnesses relating to this case with you to Court on your hearing date.

The copy of the court notice is attached to this letter.
Please, read it thoroughly.

Note: If you do not attend the hearing the judge may hear the case in your absence.

Yours truly,
Clerk to the Court. (81)

Header Examples:

Spoofs in From header, and a fake gmail or yahoo account in Envelope. These are cutwail spambots, not Asprox. Asprox wouldn't be caught dead mixing headers.

Received: from []
X-Envelope-From: gujaratize
Subject: Notice to appear in court KV#0242
From: "L McNamara" <L.McNamara>

Received: from []
X-Envelope-From: reluctantlyo2
From: "L McNamara" <L.McNamara>
Subject: Notice to appear in court TO#6699

Received: from []
X-Envelope-From: weathercocksg
From: "L McNamara" <L.McNamara>
Subject: Notice to appear in court EM#2153

Received: from []
X-Envelope-From: misstatementst2
From: "L McNamara" <L.McNamara>
Subject: Notice to appear in court XU#4553

Received: from []
X-Envelope-From: pendingzv24
From: "L McNamara" <L.McNamara>
Subject: Notice to appear in court ZE#6850

Attachment Samples: containing document.1778-290-15-03.exe

VirusTotal report 

Fortinet 			W32/Dofoil.QTZ!tr 
Ikarus Trojan-Downloader.Win32.Dofoil
McAfee-GW-Edition Heuristic.BehavesLike.Win32.Suspicious-BAY.K
Qihoo-360 HEUR/Malware.QVM07.Gen

These early scans are going to get this wrong. These aren't kuluoz / dofoil, the email copycat confused them. report report

Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
HTTP Downloads: /jd.exe <---\
POSTs data to: /new2/gate.php <----- for sure not asprox
Opens a port and listens for incoming connection (possibly a backdoor) Hide sources
Port: 9703
port: 9047
C:\Documents and Settings\Administrator\Local Settings\Temp\Xaard\yxaka.exe
Binary may include packed or encrypted data

Samples provided to Clam AV and Microsoft Security when this article was created.

 If this was at least a little helpful, how about a +1, Like, or Tweet?