Select Page

Cyren Security Blog

The map of love leads to trouble

In mid-August we covered a huge email-malware outbreak that mostly included UPS-themed emails. The same malware continues to be distributed as Fedex confirmations, but also as the “map of love”. The “map of love” attachments accompany emails promising “tourists” a map of interesting destinations worldwide.

Some variations of the text:

Welcome Lover!

Everything is for YOUR private passion!

Check ->>JULY-2011: HOT BABIES CITIES<

With Love…

Good afternoon S– Tourist!

It is Novelty in S—tourism!

Check ->>JULY-2011: HOT SPOTS OF —– in Attached !

Best Regards…

www. World-Map .org

WELCOME LOVE-TOURIST!

You have not seen this ever!

Check ->> WORLD-MAP OF BABY <

Enjoy!..

www. LOVEMAP .com

You get the idea…

The attachments in the series all follow the format of “map_of_love_.zip”.

In August we also described a trick used by malware distributors to hide the true “exe” filename of the attached file that uses a Right-to-left override (RLO) function. For example, this would make the file fishy_cod.exe appear as fishy_exe.doc thereby causing unsuspecting recipients to be even less … suspecting. The extracted map-of-love file uses the same RLO trick so that it appears as: LoveCard_N2894598382_Collexe.doc. (instead of doc.exe at the end). Command antivirus detects the malware as W32/Trojan3.CVS

Worth noting – the map-of-love and Fedex malware share the same (very strange) file information:

  • publisher….: Inept Sewer Guard
  • copyright….: Copyright (c) Credo Mesh 2003-2010
  • product……: Tush Piper
  • description..: Caste Load Tiles Ploys Korea
  • original name: Crete.exe
  • internal name: Gourd Crack
  • file version.: 1.7

You might also like

LinkedIn Phish Kit

Scam Warning Back in January, LinkedIn posted a warning about connection requests from individuals impersonating employees of a legitimate organization. These requests come from newly created accounts. If someone accepts the request, the attackers will have more...