Trojan spam storm hits inboxes, races to top of malware charts

January 19, 2007 Sophos Press Release

The emails pose as breaking news stories.
The emails pose as breaking news stories.

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a widespread spam campaign that poses as a breaking news report, but is really an attempt to lure innocent computer users into being infected by a Trojan horse and attacked by hackers.

The distribution has been so widespread that since midnight GMT the Trojan has accounted for over two thirds of all malware reports seen at Sophos's global network of monitoring stations, accounting for an infection rate of 1 in 200 of all emails being sent across the net.

Subject lines used in the malicious emails include, but may not limited to, the following:

Attached to the emails are files with names such as Full Clip.exe, Full Story.exe, Full Video.exe, Read More.exe, Video.exe which contain malicious code.

"Whoever is behind this spam campaign has generated an aggressive storm of email in the last 12 hours, and some inboxes will be feeling battered by the deluge. On average, 1 in every 200 emails that people have received since midnight are likely to be infected by this Trojan horse," explained Graham Cluley, senior technology consultant for Sophos. "Receiving or reading the emails themselves does not mean that you will be infected. However, users must be very careful not to click on the attached file inside the emails as that will install a Trojan horse on their computer and put your PC in peril."

Sophos experts believe that the hackers have deliberately chosen a subject line related to storms as European countries have been hit hard by bad weather this week.

"Bad weather has been making headlines news across Europe in the last couple of days, with a number of accidental deaths caused by the high winds reported," continued Cluley. "Hackers are deliberately exploiting public interest in breaking news stories like this in their attempt to silently infect innocent users' PCs."

Sophos products detect the malicious Trojans it has seen so far as Troj/DwnLdr-FYD and Troj/Small-DOR (also known as Small.DAM) and will intercept future variants proactively as Mal/EncPk-B using Behavioral Genotype® Protection. Sophos's anti-spam products also intercept the emails from reaching users' inboxes.

Sophos recommends companies automatically update their corporate virus protection, and run a consolidated solution at the email gateway to defend against malware, spyware and spam.