October 10th, 2006
Malware being spammed as PDF from retail stores
Reports surfaced today of spam purporting to be from Dell, Walmart, Circuit City or Sony confirming an order for a Sony Vaio computer with a PDF attachment, but the attachment is, in fact, a very nasty piece of malware named Haxdoor. Text of email:
Subject: Order ID : 37679041
Dear Customer,
Thank you for ordering from our internet shop. If you paid with a credit card, the charge on your statement will be from name of our shop. This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.
Date : 08 Oct 2006 - 12:40
Order ID : 37679041
Payment by Credit card
Product : Quantity : Price
WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99
Subtotal : 2,449.99
Shipping : 32.88
TOTAL : 2,482.87
Your Order Summary located in the attachment file ( self-extracting archive with "37679041.pdf" file ). PDF (Portable Document Format) files are created by Adobe Acrobat software and can be viewed with Adobe Acrobat Reader. If you do not already have this viewer configured on a local drive, you may download it for free from Adobe's Web site.
We will ship your order from the warehouse nearest to you that has your items in stock (NY, TN, UT & CA). We strive to ship all orders the same day, but please allow 24hrs for processing.
You will receive another email with tracking information soon.
We hope you enjoy your order! Thank you for shopping with us!
Donna's Security Flash blogged this and it was posted at CastleCops security forum. I wouldn't be surprised if a lot of people fall for this. As the poster at Castle Cops said:
So you're sitting there scratching your head thinking "What order?" Boy oh boy… I sure as heck didn't oder no stinkin $2,449.99 Sony VAIO from Circuit City!
Really makes ya wanna open that zip file to see if you've been had, right?
The supposed PDF attachment is really an executable named 37679041.exe, which is detected by AV vendors by various names. Kaspersky named it Backdoor.Win32.Haxdoor.lf. Symantec detects it as Backdoor.Haxdoor.R and others are calling it a variant of Goldun. Whatever you call it, it's quite an evil piece of malware. Haxdoor typically uses rootkit technology to mask itself. Haxdoor is known to steal passwords, give a remote attacker access to the machine, may display advertising and often makes changes to the registry that lower system security. Some variants also disable software firewalls and anti-virus apps. McAfee has a report here.
