Malwarelicious Pictures of Someone

Worried about the whereabouts of your daughter? Start worrying about your credit card instead.

A new and extremely interesting spam campaign aimed at Brazilian computer users is making its rounds these days. Disguised as a mail message carrying harmless picture attachments, the spam email actually leads the user to an assortment of Banker Trojans.

Links to malware impersonating picture attachments

The alleged pictures are, in fact, links pointing to malware

A rough translation of the text looks like this:

Good evening, at this moment, a father is proud of his daughter.  Well, I don’t believe he will anymore after you’ve seen these pictures. I’m just forwarding them.

There is a girl on the web who betrayed her boyfriend and posted online pictures taken during intimate moments.

(eight alleged pictures listed here)

Comment: the father is the owner of a network of bakeries.

In order to succeed, the attacker counts on the users’ curiosity. The message seems to feature eight attachments impersonating pictures. To add extra credibility, the attacker included nifty touches of authenticity, such as the “file” size displayed after every “image”. Should the victim choose to click on any of the “pictures”, they get redirected through a network of compromised websites to an infected .cpl file

The picture prooves to be a Control Panel link

The picture is in fact a Control Panel extension.

Detected as Trojan.Downloader. JNXT, this control panel item starts fetching extra malware from a variety of websites if opened. The downloader creates a folder called “systeam” in the root of the OS partition, populates it with plethora of malware and then starts executing batch files to start all these malicious binaries.

Most of the downloaded files are typical Banker Trojans written in Delphi and able to play as man-in-the middle during banking translations. There are also two variants of the ldPinch Trojan that snatches sensitive information from the infected computer, such as operating system, configuration, and the associated passwords for a plethora of applications including mail clients, FTP utilities, instant messenger clients and RAS services.

Some of the malware running on the system as detected during a 60-second QuickScan

Well, if you’ve already received this message and did anything but trash it, you should run a 60-sec Quick Scan just to make sure that you didn’t catch the bugs. If you’re already a BitDefender customer, then you have nothing to worry, as we’ve been detecting these pieces of malware for a while with a generic routine. Always remember that security trumps curiosity: if you stumble upon links in messages coming from unknown people, then you should proceed with care.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.