WARNING: “setting for your mailbox are changed” email is a fake
April 27, 2010 – 8:40 amIt has come to our attention that a new “fake” email that appears to be coming from DecaTech is being generated for some domains as of today. The email comes with a PDF attachment and is typically using a from address of your own domain, which is unfortunately easy to fake and nothing that we can do about that.
The PDF itself does not appear to contain any known viruses, nor does it actually contain any actual information. It appears that the spammer or phisher is currently in an “experimenting” phase.
As with any email of this nature, please feel free to contact DecaTech for assitance before making any suspicious changes or responding to something like this online.
UPDATE: I’ve found out that the PDF does actually contain an embedded payload – DO NOT OPEN IT!
More info, from another forum I found this morning:
The PDF contains an embedded payload of two vbs scripts. The second of the two vbs scripts calls a fso.OpenTextFile and writes a stream from an array defined within the vbs file. The file game.exe is created and then called from the vbs.
The file c:\program files\Microsoft Common\svchost.exe is then created and the following regkey is added:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
“Debugger”=”C:\\Program Files\\Microsoft Common\\svchost.exe”