Attackers send malicious spam using the name

Posted: October 25, 2012 in Security Notices
Tags: , , ,


Malicious Spam

The company “Doctor Web” alerts the user about a wide distribution of 22 October 2012 of malicious spam allegedly from the popular online store

These letters contain the offer to load the license for Microsoft Windows, however, following the link, the user catches at once two harmful programs (Trojan.Necurs.97 and BackDoor.Andromeda.22) which are ready to forward at any time by request of malefactors on computers of victims other malicious software.

Since October 22, 2012 Internet users began to receive regularly by the message e-mail which sender allegedly is the Internet shop Letters have the heading Order N [random number] and the following contents:


You can download your Microsoft Windows License here.

Microsoft Corporation

Each such message contains the reference to the web page including the scenario at which performance the visitor is readdressed on other website. In turn this site transfers to the browser the file containing the scenario in the JavaScript language at which performance on the computer of the user two harmful programs are loaded: widely known BackDoor.Andromeda.22 Trojan loader and malware Trojan.Necurs.97 program.

The Trojan of Trojan.Necurs.97 possesses ability to self-reproduction, including can infect demountable stores and the general resources of a local network. After the start the Trojan creates the executed file in the separate folder, and also makes changes to the system register on purpose to provide automatic start of this file in the course of Windows loading. After that the Trojan looks for the started processes of Internet Explorer and Mozilla Firefox browsers in memory and in case of their detection tries to build in them own code. Then Trojan.Necurs.97 tries to copy itself on all demountable carriers available in system, keeping on them own copy under a casual name then creates in the root folder of the store the file autorun.inf for the purpose of ensuring automatic start of the Trojan at each connection of the device.

The Trojan of Trojan.Necurs.97 establishes connection with remote servers belonging to malefactors, reports about successful installation in the infected system and expects receipt of teams among which it is possible to note command of loading for the infected computer of various appendices and transfer for the remote server of files from the local computer.

The specialists of “Doctor Web” encourages users to be careful and do not click on links in emails from unknown sources.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s