Seen in the wild: Extremely dangerous Better Business Bureau spam with malware

Today, we caught a very pernicious spam loaded with malware from the “Better Business Bureau”.

Now, a more generic version of this spam was reported on an antispam forum recently, likely from a worm. However, this version we received today is highly personalized, possibly even a targeted attack

http www sunbelt software com ihs alex bbbemail1238888 thumb jpg

Notice the level of personalization – Stu Sjouwerman is our VP of Marketing and Sunbelt Software, is, of course, us. Companies without adequte defenses may very well get this document and open it.

Analyzing the file showed all kinds of interesting things. It’s an RTF document that is using packager.exe to embed an OLE object that contains an FSG-packed download/worm (FSG is a type of packer commonly used by malware authors).

When opened, it downloads:

1. More malware

2. TightVNC

3. WinRAR

In essence, this thing is designed to steal data. The results on VirusTotal are very thin for this rtf document.