Spam Traveling with .SCR File Attachments, Trojans in Tow

Updated: Websense and MessageLabs uncover a spam campaign that is using .scr file attachments in targeted attacks.

Security researchers uncovered a spam campaign Nov. 19 targeting senior level executives that utilizes .scr file attachments to spread Trojans. Such file extensions are typically associated with Microsoft Windows screensavers.

The campaign is one of two reported by MessageLabs. The first wave was aimed at banks and financial institutions and claimed to come from the United States Department of Justice; the second, reported some 3.5 hours later, did not use an .scr file and was aimed at a variety of organizations and posed as an email from the Better Business Bureau, said Paul Wood, an analyst with MessageLabs.

"Some organizations are targeted more than once with e-mails for more than one person at the same organization," Wood said. "In the first run, the subject contains the full name of the recipient and the full name of their organization. The attachment is a .zip file containing an .scr [executable]. In the second run the attachment is an RTF file with a .doc extension, but contains an .exe that appears to masquerade as a PDF."

Early analysis suggests the attachment installs a backdoor remote access Trojan of some kind, potentially for stealing data, he said.


Click here to read about an e-mail phishing scam targeting credit union executives.

The spike of spam was relatively small—the first wave consisted of 472 messages, and the second wave topped out at 462, according to MessageLabs. However, what makes this activity significant is its similarity to profiles of earlier attacks by the same group, Wood said.

"The originating servers appear to be compromised or under the control of the senders. Almost 60 percent are in the United States, and almost 40 percent are in Japan," he said. "They are real servers, not botnets."

Researchers at Websense Security Labs reported the spam attack posing as an e-mail from the USDOJ claims a complaint has been filed with the USDOJ against the recipients company. The e-mail urges recipients to open the attached "complaint," which will unleash a Trojan, Websense officials said.

"We have seen approximately 175 unique e-mails [on Nov. 19]—low volume for this—and approximately 25 as of today," said Dan Hubbard, vice president of security research at Websense. "We do not have details on who is sending the mails; all information is spoofed."

Wood said an .scr file attachment should arouse suspicion because it is not a legitimate document file format.

Correction: The story previously stated incorrectly there were two separate spam campaigns involving .scr files.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.