Fake email zip download from known contact infects user PCs

Caught by the VOFs at exactly 11:18 pm on June 28, 2008, the Pandex variant was spread via emails which seemed to come from someone the recipient had previously communicated with.

The emails came with the subject "Hot Pictures" or "Hot News" and contained an attachment titled "censored.zip."

Once launched, the zip file installed a Trojan that collected email addresses and allowed remote hackers to manipulate the infected computer.

The first anti-virus signature for the attack from a major anti-virus (AV) vendor was released at 2:49 pm the following day, June 29, 2008, more than 15 hours after IronPort was able to capture and resolve the new threat.

"Our VOFs were able to identify and control the Pandex variant attack within minutes of its release onto the internet; such efficiency and speed prove that our VOF is by far the most effective tool against today's quickly spreading, dangerous trojan and virus threats. This also showed the inadequacy of totally relying on traditional tools for detecting and handling malicious web-based programs,"

said Ray Kafity, Regional Sales Manager - Middle East, North Africa and Pakistan, IronPort Systems.

From June 28th to June 30th, cyber criminals sent out emails with the Pandex Trojan, also known as Pushdo and Cutwail.

Users fooled into opening the embedded attachment triggered the illegal harvesting of email addresses from Microsoft Outlook, email backup, mail address book, appointment database, and text files, and web and active server pages.

Hackers took over the compromised computers to send spam and host spyware or install key loggers and screen scrapers to steal personal, confidential financial information without the user's knowledge.