Fake Xerox Scans Deliver Malware

A recent spam campaign abuses the name of Xerox, the American document management corporation, inviting users to download a scanned file to infect their systems with Trojans. According to Bitdefender data, we are talking about a 10,000 e-mail wave registered in less than an hour, qualifying this attack as significant.

The subject tagline is “Scan from a Xerox WorkCentre” which is general enough to lure some of the inattentive or busy people for whom receiving scanned documents during work hours is common. Those are the recipients who likely to overlook the details, especially if they see the message was sent from someone within the company.

It is a well-known tactic among spammers to look in databases of e-mail addresses for common or corporate domain names for more targeted attacks. When “building” the spam e-mail, spammers match the alleged sender’s e-mail address with the recipient’s, hoping that a person will be less careful with an e-mail coming from someone in the same company.

The bogus e-mail appears to be delivering a scanned document, but in fact it only distributes a downloader Trojan, identified by Bitdefender as Trojan.GenericKDV.1210899. Among the malware pieces it downloads is the banker Trojan.Zbot.IAO, known to snatch passwords and user names and monitor banking websites to manipulate them into obtaining sensitive information from innocent users.

Bitdefender blocks the spam e-mails and the malicious website, so users who have the antivirus solution installed are protected. The company advises users to keep their software updated, including their antivirus.

This article is based on the spam samples provided courtesy of Adrian TOMA, Bitdefender Spam Researcher and technical information of Doina COSOVAN, Bitdefender Virus Researcher.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.