The map of love leads to trouble

by

In mid-August we covered a huge email-malware outbreak that mostly included UPS-themed emails. The same malware continues to be distributed as Fedex confirmations, but also as the “map of love”.  The “map of love” attachments accompany emails promising “tourists” a map of interesting destinations worldwide.

Some variations of the text:

Welcome Lover!

Everything is for YOUR private passion!

Check ->>JULY-2011: HOT BABIES CITIES<

With Love…

 

Good afternoon S– Tourist!

It is Novelty in S—tourism!

Check ->>JULY-2011: HOT SPOTS OF —– in Attached !

Best Regards…

www. World-Map .org

 

WELCOME LOVE-TOURIST!

You have not seen this ever!

Check ->> WORLD-MAP OF BABY <

Enjoy!..

www. LOVEMAP .com

You get the idea…

The attachments in the series all follow the format of “map_of_love_.zip”.

In August we also described a trick used by malware distributors to hide the true “exe” filename of the attached file that uses a Right-to-left override (RLO) function.  For example, this would make the file fishy_cod.exe appear as fishy_exe.doc thereby causing unsuspecting recipients to be even less … suspecting.  The extracted map-of-love file uses the same RLO trick so that it appears as:  LoveCard_N2894598382_Collexe.doc.  (instead of doc.exe at the end). Command antivirus detects the malware as W32/Trojan3.CVS

Worth noting – the map-of-love and Fedex malware share the same (very strange) file information:

  • publisher….: Inept Sewer Guard
  • copyright….: Copyright (c) Credo Mesh 2003-2010
  • product……: Tush Piper
  • description..: Caste Load Tiles Ploys Korea
  • original name: Crete.exe
  • internal name: Gourd Crack
  • file version.: 1.7

 

Go back