Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: BBB=>IRS=>FTC=>Proforma | don't open that invoice! SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
BBB=>IRS=>FTC=>Proforma | don't open that invoice!

Several of our ever-vigilant readers have warned us of a new targeted Trojan “document” that is being sent out specifically to executives in corporations.
Thanks Dan, Andy and Joe!
Subject of the emails were of the form:

Proforma Invoice for "Company Name" (Attn: "Executive Name")

The Body of the email included this text


The Proforma Invoice is attached to this message. You can find the file
in the attachments area of your email software.

PS: The invoice also includes the cost for the services provided for the
second quarter of 2007.
Please read, evaluate and reply with any comments. Thanks.

Beckman Instruments, Inc.
2500 Harbor Boulevard, E-26-C
Fullerton, CA 92634-3100"

It is another word “document” with a malicious embedded object similar to the BBB, IRS, FTC and other targeted trojan “documents” we have seen lately.

The file sent is Proforma_Invoice.doc
Those AV vendors that recognized at virustotal were:

Authentium 4.93.8 06.15.2007 W32/Dropper.ESR
Fortinet 06.15.2007 W32/Nuclear!tr
Sophos 4.18.0 06.12.2007 Troj/BHO-BP
Symantec 10 06.15.2007 Downloader
Panda 06.15.2007 Suspicious file

The document itself contains a icon of a pair of books (blue and yellow) and a magnifying glass and the text
The icon represents a “Packaged Object”.

Clicking the icon in XPsp2 resulted in a windows popup box that stated:
“The publisher could not be verified. Are you sure you want to run this software?
Publisher: Unknown Publisher
Type: Application

The three copies we have seen so far were all the same, all were 689,152 bytes long and all had a md5 hash of 47fff5b9d3765b70571454146ea9f244.

A word of caution: Do NOT open strange documents or run untrusted binaries on a machine you don’t wish to format and reinstall the OS on!
Most of us who do malware analysis have a machine that they can reinstall a fresh clean copy of the OS on if things go wrong and the ability to watch their network and see if anything is going wrong.


206 Posts
Jun 15th 2007

Sign Up for Free or Log In to start participating in the conversation!