Fraudsters spam out Trojan Horse as China earthquake news story

Sophos Press Release

Following phishing attempts, cybercriminals turn their attentions to infecting computers

IT security and control firm Sophos is reminding computer users around the world of the importance of not clicking on unsolicited emails, no matter how tempting the subject line or content, following the discovery of a Trojan horse being spammed out as a news report about the earthquakes in China.

Sophos experts note that this scam is just the latest in a number of tricks that cybercriminals have been exploiting since the recent disasters in China and Burma, but warn that while many users are aware of phishing emails and therefore will not respond, this attack downloads malicious code onto the user's computer without them even noticing. Hackers can then use this to steal sensitive and confidential information for financial gain and to commit identity theft.

Samples intercepted by SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, show that the Trojan horse (known as Troj/MalDoc-Fam) arrives in a user's inbox as a news report which entices innocent victims to click on the attached word document and read the latest about the tragedy.

A typical spammed email reads as follows:

"BEIJING, May 20 (Xinhua) -- The death toll from the earthquake in southwest China's Sichuan Province has risen to 34,074 nationwide as of 2p.m. Saturday, while 198,347 people were injured, according to the Information Office of the State Council. Pay attention to attachment for more."

However, opening the Word document attached triggers an exploit which silently downloads further malware onto the user's computer.

"Over the last few weeks, we've already seen several examples of cybercriminals trying to exploit the natural disasters suffered by China and Burma, and it seems there's no end to their tactics," said Graham Cluley, senior technology consultant at Sophos. "To avoid falling victim, computer users need to use their common sense and not open emails from people they don't know. By deleting them straight away, you're cutting the fraudsters off before they even have the chance to trick you into giving them money as they pose as victims of the tragedy, or try and install malware on your computer."

Sophos has been capable of proactively detecting the malware since 26 March 2007.

Sophos recommends that all computer users ensure their computer security is up to date and that they are fully protected against the latest spam, email and web threats.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at