In another crafty attempt to induce email recipients to voluntarily infect their own computers with a virus the latest campaign spoofs a scanned document email purportedly from a Xerox WorkCentre Pro multi-tasking machine.
The emails arrive from an endless variety of spoofed email From address senders, when they are actually sent from personal computers that have already been infected by this campaign.
The Subject lines of the emails are consistently:
Subject: Scan from a Xerox WorkCentre Pro N 5458581
Subject: Scan from a Xerox WorkCentre Pro $4181035
In order to attempt to evade spam filtering systems, the very last part of the Subject line is a completely random number, so that no two emails will look exactly alike.
The body of the messages says:
Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]WorkCentre Pro Location: machine location not set
Device Name: XRX3050AA7ACDB45167448For more information on Xerox products and solutions, please visit http://www.xerox.com
The “Device Name” in the message is also completely randomized to prevent exact matches by spam filters.
The attachment payload of the email will be a Zip file, an EXE file, or both and often also includes randomized numbers such as:
- XeroxN55213.zip
- Xerox_doc.exe
Executing the attachment (which is most definitely not a scanned document) launches the infection of the recipient’s computer, adding it to the spammer’s growing bot-net army of spam spewing zombies.
Related posts: