“ADP Generated Message: Digital Certificate Expiration” malware via e-mail

Shares

Zojuist ontving ik een e-mail met het onderwerp ADP Generated Message: Digital Certificate Expiration en deze bijbehorende headers:

Return-Path: <ADP_Netsecure@adp.com>
Delivered-To: x
Received: from net3-nl-mx-27.vevida.net (net3-nl-mx-27.vevida.net [IPv6:2a00:f60::1:37])
	by net3-nl-mail-05.vevida.net (Postfix) with ESMTP id 6838F294259C
	for <x>; Fri, 14 Sep 2012 14:28:03 +0200 (CEST)
X-Virus-Scanned: amavisd-new at vevida.net
X-Spam-Status: Yes, score=9.518 required=5 tests=[BAYES_80=2,
	HTML_MESSAGE=0.001, MY_DSL=0.85, RCVD_IN_BRBL_LASTEXT=1.449,
	RCVD_IN_PBL=3.335, RCVD_IN_SORBS=1, RCVD_IN_SORBS_WEB=0.77,
	SPF_FAIL=0.001, SPF_HELO_NEUTRAL=0.112] autolearn=no
Received: from centertel.pl (public93801.xdsl.centertel.pl [188.47.238.105])
	by net3-nl-mx-27.vevida.net (Postfix) with ESMTP id A6D347F88073
	for <x>; Fri, 14 Sep 2012 14:27:31 +0200 (CEST)
Received: from apache by adp.com with local (Exim 4.67)
	(envelope-from <ADP_FSA_Services@ADP.com>)
	id J9Z8K6-SEU8RG-TE
	for <x>; Fri, 14 Sep 2012 13:27:30 +0100
To: <x>
Subject: ADP Generated Message: Digital Certificate Expiration
X-PHP-Script: adp.com/sendmail.php for 188.47.238.105
From: "ADP_FSA_Services@ADP.com" <ADP_FSA_Services@ADP.com>
X-Sender: "ADP_FSA_Services@ADP.com" <ADP_FSA_Services@ADP.com>
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="------------08020700707010609010103"
Message-Id: <SNAIE1-6S8A7W-9L@adp.com>
Date: Fri, 14 Sep 2012 13:27:30 +0100

Slechts vier (4) van de twintig (20) virusscanners bij Jotti herkenden de bijlage als een virus:

  • Bitdefender: Gen:Variant.Graftor.42564
  • ClamAv: PUA.Win32.Packer.MingwGcc-2
  • Esset: Win32/Injector.WMK
  • Gdata: Gen:Variant.Graftor.42564

Scan resultaat

Het resultaat van Jotti’s malware scan vind je hier:
http://virusscan.jotti.org/nl/scanresult/d3e4bd19ecac8e193f9b73f2fe78ef9d034a55fd

Blijkbaar gaan deze e-mails al rond sinds 9 juli 2012:
http://news.softpedia.com/news/ADP-Digital-Certificate-Expiration-Emails-Point-to-Malware-Hosted-on-Hijacked-Sites-280153.shtml

Wees altijd voorzichtig met het openen van bijlages!

About the Author J. Reilink

My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 10 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization.

follow me on:

Did you find this post helpful?

Pleasedonate a token of your appreciation (USD $2 or EUR €2, a cup of coffee) through Paypal to support me in my research time and hosting costs, thank you!

Yes, I'll donate!