Malicious mass mailing contains a macro virus

Kaspersky Lab has intercepted a mass-mailing containing Trojan-Dropper.MSWord.Lafool.v. This mass mailing is unusual as messages appeared to be sent from mcafee@europe.com and allegedly originated from McAfee, an antivirus company.

Lafool.v is a Word document called “McAfee Inc. Reports.doc”. The file is 80,635 bytes in size, and allegedly contains a report about the propagation of malicious programs on the Internet.

The document contains a macro written in Visual Basic for Applications. Lafool.v extracts a new modification of LdPinch, a well known Trojan password stealing program, from itself, and launches it for execution. LdPinch steals passwords to a number of services and applications, including AOL Instant Messenger and ICQ, and other confidential user data. Kaspersky Anti-Virus detects the new variant of this program as Trojan-PSW.Win32.LdPinch.bbg.