In mid-August we covered a huge email-malware outbreak that mostly included UPS-themed emails. The same malware continues to be distributed as Fedex confirmations, but also as the “map of love“. The “map of love” attachments accompany emails promising “tourists” a map of interesting destinations worldwide.
Some variations of the text:
Welcome Lover!
Everything is for YOUR private passion!
Check ->>JULY-2011: HOT BABIES CITIES<<- in Attached !
With Love…
Good afternoon S– Tourist!
It is Novelty in S—tourism!
Check ->>JULY-2011: HOT SPOTS OF —– in Attached !
Best Regards…
www. World-Map .org
WELCOME LOVE-TOURIST!
You have not seen this ever!
Check ->> WORLD-MAP OF BABY <<- in Attached !
Enjoy!..
www. LOVEMAP .com
You get the idea.
The attachments in the series all follow the format of “map_of_love_<random number>.zip”.
In August we also described a trick used by malware distributors to hide the true “exe” filename of the attached file that uses a Right-to-left override (RLO) function. For example, this would make the file fishy_cod.exe appear as fishy_exe.doc thereby causing unsuspecting recipients to be even less . suspecting. The extracted map-of-love file uses the same RLO trick so that it appears as: LoveCard_N2894598382_Collexe.doc. (instead of doc.exe at the end). Command antivirus detects the malware as W32/Trojan3.CVS
Worth noting – the map-of-love and Fedex malware share the same (very strange) file information:
- publisher….: Inept Sewer Guard
- copyright….: Copyright (c) Credo Mesh 2003-2010
- product……: Tush Piper
- description..: Caste Load Tiles Ploys Korea
- original name: Crete.exe
- internal name: Gourd Crack
- file version.: 1.7
Leave a reply
