Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

A series of fake Scottish Courts emails claims you are scheduled to appear for a hearing in court.

Attached zip contains an exe virus or trojan horse.

Spoofs scotcourts.gov.uk.

These are copy-cat emails, essentially using the older Asprox "notice to appear" email.


Subject:  Notice to appear in court XU#4553

Subject:  Notice to appear in court TO#6699

Subject: Notice to appear in court KV#0242

Notice to Appear,

Hereby you are notified that you have been scheduled to appear for your hearing that will
take place in the court of London in March 15, 2014 at 10:00 am.

Please bring all documents and witnesses relating to this case with you to Court on your hearing date.

The copy of the court notice is attached to this letter.
Please, read it thoroughly.

Note: If you do not attend the hearing the judge may hear the case in your absence.

Yours truly,
L.McNamara
Clerk to the Court.

document.1778-290-15-03.zip (81)

Header Examples:

Spoofs scotcourtk.gov.uk in From header, and a fake gmail or yahoo account in Envelope. These are cutwail spambots, not Asprox. Asprox wouldn't be caught dead mixing headers.

Received: from [117.218.82.120]
X-Envelope-From: gujaratize @yahoo.com
Subject: Notice to appear in court KV#0242
From: "L McNamara" <L.McNamara @scotcourts.gov.uk>

Received: from [2.50.15.25]
X-Envelope-From: reluctantlyo2 @gmail.com
From: "L McNamara" <L.McNamara @scotcourts.gov.uk>
Subject: Notice to appear in court TO#6699

Received: from [116.202.223.210]
X-Envelope-From: weathercocksg @gmail.com
From: "L McNamara" <L.McNamara @scotcourts.gov.uk>
Subject: Notice to appear in court EM#2153

Received: from abs-static-11.64.68.58.aircel.co.in [58.68.64.11]
X-Envelope-From: misstatementst2 @yahoo.com
From: "L McNamara" <L.McNamara @scotcourts.gov.uk>
Subject: Notice to appear in court XU#4553

Received: from 46-121-100-225.static.012.net.il [46.121.100.225]
X-Envelope-From: pendingzv24 @yahoo.com
From: "L McNamara" <L.McNamara @scotcourts.gov.uk>
Subject: Notice to appear in court ZE#6850

Attachment Samples:

document.1778-290-15-03.zip containing document.1778-290-15-03.exe

VirusTotal report 

Fortinet 			W32/Dofoil.QTZ!tr 
Ikarus Trojan-Downloader.Win32.Dofoil
McAfee-GW-Edition Heuristic.BehavesLike.Win32.Suspicious-BAY.K
Qihoo-360 HEUR/Malware.QVM07.Gen

These early scans are going to get this wrong. These aren't kuluoz / dofoil, the email copycat confused them.

Malwr.com report 

File-Analyzer.net report

Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
HTTP Downloads: 211.44.197.20 /jd.exe <---\
POSTs data to: eriksiversen.ru /new2/gate.php <----- for sure not asprox
Opens a port and listens for incoming connection (possibly a backdoor) Hide sources
Port: 9703
port: 9047
Drops:
C:\Documents and Settings\Administrator\Local Settings\Temp\Xaard\yxaka.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\msi45943.exe
C:\WINDOWS\system32\drivers\2b694.sys
Binary may include packed or encrypted data

Samples provided to Clam AV and Microsoft Security when this article was created.

 If this was at least a little helpful, how about a +1, Like, or Tweet?