Phoney Apple iPod shipping notification email leads to Trojan horse

August 29, 2006 Sophos Press Release

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a Trojan horse that has been spammed out claiming to be a notification that an Apple iPod MP3 player has been shipped to them, and their account has been charged almost $500.

Sophos has received reports of the Troj/Dowdec-A Trojan horse, which arrives in a message claiming to be related to the purchase of an Apple iPod. The emails claim that the popular music player is being shipped via FedEx and that a payment of $479.95 has been received from the recipient's e-gold account.

The malicious emails have the subject line

Track your order

The message body reads as follows:

Dear <email address>,
Please read the following message carefully.

We notify that your order was approved and shipped to you via FedEx 2Day Service, track 792531968828.
The amount of $479.95 USD was recieved from your e-gold account.
The details of transaction and specification of chosen product we send you in self-extracting compressed-zip file.
Read it carefully to make sure that there's no mistakes in characteristics of chosen product.
We appreciate your choice!
According to the rules, refund must be based on your original method of payment. Any requests to refund using e-gold are not accepted, if the payment method was credit card.

IPod For Your, Yahoo Shopping.

Attached to the emails is a file called OrderInf.zip, which unpacks to OrderInfo.exe. Executing this file infects the user's computer with a Trojan horse that attempts to download further malicious code from the internet. The Trojan horse only works on Windows computers, and cannot infect Apple Macs.

"With luck the spelling mistakes in the email will warn many users that there is something not quite right about this email. Additionally, anyone who doesn't use e-gold should be able to smell a rat when it is claimed that almost $500 has been taken from their account," said Graham Cluley, senior technology consultant for Sophos. "But everyone should practise safe computing, and be wary of any unsolicited email attachment that arrives in their inbox. Hackers are aiming to infiltrate the Windows computers of home users in their pursuit of more people to spy on and steal from.."

Sophos's anti-virus products were automatically updated to protect against the Troj/Dowdec-A Trojan horse at 09:43 GMT on 29 August 2006.

Sophos recommends that companies protect their email gateways with a consolidated solution to defend against viruses, spyware and spam, as well as apply an email policy that filters unsolicited executable code at the gateway. Businesses should also secure their desktop and servers with automatically updated protection.