Pages

Thursday 29 October 2015

Which antivirus - 9

SHA256: 78b0d908dca64f2b0017da7d94ebba8e0db64cdaf1dca1c3fb283cce8dd25be4 

Subject: You have a package    

Dear Customer,

You have a package with FedEx. You are required to view the attached file for detail. Contact
E-mail: fedxed-liveryexpress@careceo.com



First submitted to Virustotal 19 hours ago. All products pass it as clean.

So is it indeed clean? I'm not expecting a package from Fedex, and the file header reveals that the email was sent from mail.umet.ec (Ecuador). So my first guess is that it's malware, but without setting up a virus lab, I can't be 100% certain. 

How could it not be malware, given all these clues? In my experience, virus authors (and therefore probably also trojan authors) aren't as clever as they think they are, and I've seen several things that were clearly intended to be viruses, but because of a blunder by the author, didn't work. One example that I remember used interrupt 21 *decimal* (15 hexadecimal) for file reading and writing, instead of the correct interrupt 21 hexadecimal (33 decimal). The author not only made that blunder, they obviously didn't test their virus!

Another possibility, is that it isn't malware, just some scam. So I read the content of the file using a file reader that doesn't have a macro ability, and apparently, there's $750,000, an Apple Mac Book Pro and an iPhone 6 waiting for me ....

So, not malware. Just a scam. This kind of scam is called a 411 scam, a 419 scam, an advance-fee fraud scam (you have to send off some small fee in order to get the package released to you, and if you do, you discover that there's another small fee to send, and so on). But I prefer the name "Spanish prisoner" because that goes back 500 years or more.

No comments:

Post a Comment