Spam Traveling with .SCR File Attachments, Trojans in Tow | eWeek

Spam Traveling with .SCR File Attachments, Trojans in Tow

Written By
Brian Prince
Brian Prince
Nov 21, 2007
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Security researchers uncovered a spam campaign Nov. 19 targeting senior level executives that utilizes .scr file attachments to spread Trojans. Such file extensions are typically associated with Microsoft Windows screensavers.

The campaign is one of two reported by MessageLabs. The first wave was aimed at banks and financial institutions and claimed to come from the United States Department of Justice; the second, reported some 3.5 hours later, did not use an .scr file and was aimed at a variety of organizations and posed as an email from the Better Business Bureau, said Paul Wood, an analyst with MessageLabs.

“Some organizations are targeted more than once with e-mails for more than one person at the same organization,” Wood said. “In the first run, the subject contains the full name of the recipient and the full name of their organization. The attachment is a .zip file containing an .scr [executable]. In the second run the attachment is an RTF file with a .doc extension, but contains an .exe that appears to masquerade as a PDF.”

Early analysis suggests the attachment installs a backdoor remote access Trojan of some kind, potentially for stealing data, he said.

Click here to read about an e-mail phishing scam targeting credit union executives.

The spike of spam was relatively small—the first wave consisted of 472 messages, and the second wave topped out at 462, according to MessageLabs. However, what makes this activity significant is its similarity to profiles of earlier attacks by the same group, Wood said.

“The originating servers appear to be compromised or under the control of the senders. Almost 60 percent are in the United States, and almost 40 percent are in Japan,” he said. “They are real servers, not botnets.”

Researchers at Websense Security Labs reported the spam attack posing as an e-mail from the USDOJ claims a complaint has been filed with the USDOJ against the recipients company. The e-mail urges recipients to open the attached “complaint,” which will unleash a Trojan, Websense officials said.

“We have seen approximately 175 unique e-mails [on Nov. 19]—low volume for this—and approximately 25 as of today,” said Dan Hubbard, vice president of security research at Websense. “We do not have details on who is sending the mails; all information is spoofed.”

Wood said an .scr file attachment should arouse suspicion because it is not a legitimate document file format.

Correction: The story previously stated incorrectly there were two separate spam campaigns involving .scr files.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.