FutureFive New Zealand - Consumer technology news & reviews from the future
New Zealand
Guides
#
drones
#
gaming
#
reviews
#
smartphones
#
virtual reality
Search
Story image
#
Cybersecurity
#
Malware
#
CIOs
Spammers use Paul Walker's death to spread malware
Mon, 10th Feb 2014
FYI, this story is more than a year old
By Staff Writer
Follow us

It was only a few months ago that Paul Walker that left us in a fiery car accident. These days it is common for spammers and malware writers to use a celebrity's death to spread malware.

In this case, it started with emails with links to a video of Paul Walker's car on fire, but instead contained a link to a malicious file.

In the latest slew of emails, security expert Symantec claims the sender makes a plea to the victim to find a Dodge Viper GT that was supposedly racing with Paul Walker's car. The email asks that anyone with information call a number in the email or open the attached file to view a picture of the Viper GT's driver.

"In every sample we have dealt with there is always a promise of reimbursement or compensation for helping capture the Viper GT's driver," says Joseph Graziano, Symantec.

"These attacks are unique because of the regular change of subject lines and body text to bypass spam filters. The attacker tries to personalize the email with the recipient's name in the body, subject, or attached file name."

According to Graziano, each executable file is made specifically for the email address it is sent to and is compiled just before the email is sent. The sender's email address is always an aol.com email account that has most likely been hacked or otherwise compromised. Whenever a user is compromised, their address book is harvested to continue the chain of personalized emails.

Once the malicious file has been executed an error notification is sent indicating that a 32-bit or 64-bit computer is needed to run the file. It may also indicate that the user does not have sufficient permissions to run the file even though the malware continues to run in the background.

The Trojan will start to perform DNS queries through a list of domains with similar names until the malware gets a DNS query return and then it will connect to that URL to download a file into the following directory:

"%UserProfile%\Application Data\amhldfbyjmg\kskzjmtypb.exe

Once the file (kskzjmtypb.exe) is downloaded, it runs and connects to p9p-i.geo.vip.bf1.yahoo.com to download qr1aon1tn.exe. When this runs, it drops the following file:

"%UserProfile%\Application Data\amhldfbyjmg\fdxeuzv.exe

Symantec detects this malware as Trojan Horse, advising users to be on their guard and to adhere to the following security best practices:

* Exercise caution when receiving unsolicited, unexpected, or suspicious emails

* Avoid clicking on links in unsolicited, unexpected, or suspicious emails

* Avoid opening attachments in unsolicited, unexpected, or suspicious emails

* Keep security software up-to-date

* Update antispam signatures regularly

Related stories
Watch out! There are hidden dangers lurking in your PDFs
Review: Avast Ultimate Business Security - comprehensive to say the least
One wrong click can devastate your small business: so what can you do?
AI foundries & digital factories will change humankind, NVIDIA CEO says
Hands-on review: 2TB WD_Black SN770M NVMe M.2 2230 SSD
Top stories
Samsung unveils 2024 TV range, with AI-driven picture technology
AI is here to stay - share market fads versus trends
Game review: Children of the Sun (PC)
TVNZ launches innovative sports streaming service with MediaKind & Qibb
Sony launches ULT Power Sound series with artist Peso Pluma