The first thing that most computer users do in the morning is to check their email. So recently just as usual I too checked my Inbox and spam folder. However there was one email [Figure 1] in my Spam folder that got my attention. It seemed suspicious and I did not want to fall into a trap so I carefully reviewed it. This blog details my findings.
The email is disguised as a "Traffic Ticket" from New York State Police; it claims that I have been charged with speeding violation. The email body recommends that if I want to plead, I need to print out the attached file and send it to Town Court, Chatam Hall. The attached file is not a traffic ticket but in fact it is a malware. I know that my local road traffic agency will never email any infringement, but would have mailed it via post instead.
Obviously, this email is just one of the few new social engineering tricks that cyber criminals are employing these days to attack unsuspecting users, simple yet quite effective.
[Figure 1 – Fake Traffic Ticket Email]
Distinctive Spam Email Characteristics
The email contains the Subject: UNIFORM TRAFFIC TICKET #7046
The email contains the Body:
File Attachment: Ticket.zip
The file Ticket.zip contains a file ticket.exe which CA detects as Win32/Chepvil.CT.
If the file ticket.exe was executed, it will connect to awydhuyrf.ru to download and execute the file pusk.exe which is a variant of Win32/FraudWindowsXPFix.
Win32/FraudWindowsXPFix is a rogue security application that can display fake error message concerning your Hard Drive and scaring the user to purchase the full version of it. [Figure 2-4]
[Figure 2 – Win32/FraudWindowsXPFix Fake Error Message]
[Figure 3 - Win32/FraudWindowsXPFix Fake Error Message]
[Figure 4 – Win32/FraudWindowsXPFix Fake Error Message]
[Figure 5 – Win32/FraudWindowsXPFix GUI]
After the fake scanning, it will report that there are numerous critical errors in your hard drive [Figure 6] and after trying to repair the errors, it will report that it failed to fix the critical errors [Figure 7].
[Figure 6 – Win32/FraudWindowsXPFix GUI]
[Figure 7 – Win32/FraudWindowsXPFix GUI]
Win32/FraudWindowsXPFix will also make certain files and folder hidden to convince the user that there is something really wrong on the user’s computer and it will continuously display fake warning messages.
Again, we advise users to beware of these kinds of emails, avoid executing attachments coming from unsolicited emails and ensure that your CA Security Products are updated with the latest signatures.