Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake Best Buy virus spam email claims they recieved an order addressed to you which has to be confirmed with the attached file.

Attached .zip contains a malware executable from the Asprox botnet.


Subject: Acknowledgment of Order
Subject: Details of your order from Best Buy
Subject: Thank you for buying from Best Buy
Subject: Order Status
Subject: Thank you for your order

 E-shop Best Buy has received an order addressed to you which has to be confirmed by the recipient within 4 days. 
Upon confirmation you may pick it in any nearest store of Best Buy.

Detailed order information is attached to the letter.

Wishing you Happy Thanksgiving!

Best Buy

BestBuy_Order_ID_0408070MN.zip (127)

Header Examples:

Spoofs random stuff in From and Envelope (MAIL FROM) headers and HELO connection string, but consistent per email.

Received: from ascii-store.com ([204.113.202.75]
X-Envelope-From: order @ascii-store.com
From: "Best Buy" <order @ascii-store.com>
Subject: Acknowledgment of Order

Received: from themanagedcarestore.com [173.9.122.249]
X-Envelope-From: manager @themanagedcarestore.com
From: "Best Buy" <manager @themanagedcarestore.com>
Subject: Details of your order from Best Buy

Received: from beaverdamstore.com [24.239.228.45]
X-Envelope-From: order @beaverdamstore.com
From: "Best Buy" <order @beaverdamstore.com>
Subject: Thank you for buying from Best Buy

Received: from drycleaningstore.com (114.242-net.sccoast.net [66.153.242.114]
X-Envelope-From: manager @drycleaningstore.com
From: "Best Buy" <manager @drycleaningstore.com>
Subject: Thank you for your order

Asprox emails with attachments almost always come from infected windows bots, as opposed to emails with url links, which come from compromised web sites. A fun artifact of the pc-sent asprox spam is that the windows hostname or netbios name is in the message ID header:

Message-ID: <002...de34464a8c0 @JoannShannon-PC>
Message-ID: <00...6ff1d466f0a @ROYAL-CITRIX05>
Message-ID: <00250...34a59835e895064 @MinPC>
Message-ID: <000b0...d80401a8c0 @Owner-PC>
Message-ID: <002a0...1bca80a010a @5733-PC>

Malware

17 December 2014

Attachment : BestBuy_Order_ID_0408070MN.zip containing BestBuy_Order.exe

VirusTotal report 

Ad-Aware 		Gen:Variant.Strictor.72854
Avast Win32:Malware-gen
BitDefender Gen:Variant.Strictor.72854
DrWeb BackDoor.Kuluoz.4
ESET-NOD32 Win32/TrojanDownloader.Zortob.H
Emsisoft Trojan.Agent.BGWS (B)
Fortinet W32/Zortob.H!tr
GData Gen:Variant.Strictor.72854
McAfee Kuluoz-FABB!2844FE2DB000
Norman Kuluoz.JY

Malwr.com report

Performs some HTTP requests
The binary likely contains encrypted or compressed data.
Executed a process and injected code into it, probably while unpacking
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

 If this was at least a little helpful, how about a +1, Like, or Tweet?


 E-shop Best Buy has received an order addressed to you which has to be confirmed by the recipient within 4 days. Upon confirmation you may pick it in any nearest store of Best Buy.