Select Page

Cyren Security Blog

The map of love leads to trouble

In mid-August we covered a huge email-malware outbreak that mostly included UPS-themed emails. The same malware continues to be distributed as Fedex confirmations, but also as the “map of love”. The “map of love” attachments accompany emails promising “tourists” a map of interesting destinations worldwide.

Some variations of the text:

Welcome Lover!

Everything is for YOUR private passion!


With Love…

Good afternoon S– Tourist!

It is Novelty in S—tourism!

Check ->>JULY-2011: HOT SPOTS OF —– in Attached !

Best Regards…

www. World-Map .org


You have not seen this ever!



www. LOVEMAP .com

You get the idea…

The attachments in the series all follow the format of “”.

In August we also described a trick used by malware distributors to hide the true “exe” filename of the attached file that uses a Right-to-left override (RLO) function. For example, this would make the file fishy_cod.exe appear as fishy_exe.doc thereby causing unsuspecting recipients to be even less … suspecting. The extracted map-of-love file uses the same RLO trick so that it appears as: LoveCard_N2894598382_Collexe.doc. (instead of doc.exe at the end). Command antivirus detects the malware as W32/Trojan3.CVS

Worth noting – the map-of-love and Fedex malware share the same (very strange) file information:

  • publisher….: Inept Sewer Guard
  • copyright….: Copyright (c) Credo Mesh 2003-2010
  • product……: Tush Piper
  • description..: Caste Load Tiles Ploys Korea
  • original name: Crete.exe
  • internal name: Gourd Crack
  • file version.: 1.7

You might also like

LinkedIn Phish Kit

Scam Warning Back in January, LinkedIn posted a warning about connection requests from individuals impersonating employees of a legitimate organization. These requests come from newly created accounts. If someone accepts the request, the attackers will have more...