“Request rejected” spam campaign leads to fake AV

A spam email campaign carrying a malicious attachment designed to download and run a fake AV solution on the recipient’s computer is currently hitting inboxes around the world.

The subject of the email is “Request rejected” and contains the following text:

Dear Sirs,
Thank you for your letter!
Unfortunately we can not confirm your request!
More information attached in document below.
Thank you
Best regards.

The message does not contain any hint on what the rejected request might be, and since the purported sender and its email address don’t offer much information either, it’s easy to see how a lot of people might be tricked into downloading the attached EX-38463.pdf.zip file to check out what this is all about.

According to CA researchers, the zipped attachment contains a file by the name of EX-38463.pdf.exe, which is a downloader Trojan that connects the computer to hdjfskh.net, from where it downloads and executes a fake AV variant.

This specific fake AV has the ability to change its name based on which version of Windows OS the computer runs: XP, Vista or Win7.

It also has a variety of fake alert windows which it uses to great effect to scare the victims into believing their computer is affected by a heap of malware.

Users are advised to think twice about opening attachments or following links included in unsolicited emails – especially when they try to instill a sense of fear and/or urgency in them, or contain a veiled threat. It is a common tactic for spammers and scammers, who are hoping that these feelings will override the recipients’ critical judgment.