“Your federal tax payment was rejected”. We imagine that the sight of these words would make even the most security-aware individuals click on anything in sight as they race to resolve this troubling news.
In the last 24 hours Commtouch Labs has detected vast quantities of emails that inform recipients of payments that have been rejected by the Electronic Federal Tax Payment System (EFTPS).
The emails all use “irs.gov” addresses with fake employee names in the “from” field. The image is downloaded directly from the IRS site. We note the neat addition of “self-extracting archive” next to the file name – apparently to allay the fears of users who are wary of opening executable files.
The links lead to any of 2,500 domains (!) that we have tracked related to these emails. All of the domains were registered in the last 48 hours. The destination pages (confusingly) shows a “404 not found” messages which actually hides the script that starts the “PDF” file download. The downloaded filename for this site was: TAX45368001.pdf.exe.
When a user opens the file the malware takes the following actions that seem characteristic of a bot/password stealer:
1. It sets itself up to run on Windows startup
2. Drops 3 files:
C:\Documents and Settings\user\Application Data\Iwab\boji.ybe
C:\Documents and Settings\user\Application Data\Qyfe\woobx.exe
C:\DOCUME~1\user\LOCALS~1\Temp\tmp97e95e58.bat – this file just deletes the original executable.
3.It injects a thread into explorer.exe which downloads an encrypted blob from vesv—-wtytz.biz.
4.It listens on port 27032 for connections.
5. It injects threads into most other running processes.
Author: Avi Turiel, Commtouch.