By Dancho Danchev
Cybercriminals are currently spamvertising millions of emails impersonating DHL in an attempt trick end and corporate users into downloading and executing the malicious .zip file attached to the emails.
Sample message: “Dear NAME, with this message we notify you that shipment at your destination, tracking ID #RANDOM_NUMBER, has FAILED due to an address mismatch. To claim your delivery please print out the attached document and contact DHL US support. Feel free to contact us with further questions. If you would like to speak to a DHL Express Support Agent, please call the DHL Service Desk at 1-800-527-7298.”
Spamvertised attachment: DHL report.exe – MD5: 15451d2c4b1630ddf0a2e7414c84b9dd – detection rate – detected by 25 out of 41 antivirus scanners as Gen:Variant.Kazy.74567; Trojan.Win32.Jorik.Androm.ne
Upon execution, the sample modifies the registry [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] -> SunJavaUpdateSched = “%AllUsersProfile%\svchost.exe” so that svchost.exe runs every time Windows starts.
Webroot SecureAnywhere users are proactively protected from this threat.