Cyber criminals are targeting users by spreading an email message claiming to be from the Vodafone MMS gateway. I had two of these land in my inbox last night. The subject in the email is “You have received a new message” and claims you have been sent a picture. Let’s take a further look at this nasty phishing email.
Looking at the content of the email you will see what looks like a legitimate sending mobile number from [email protected] but it isn’t. So don’t open the attachment! The messages contain an attached zip file “Vodafone_MMS.zip”. If you unzip the file (I suggest you don’t folks!) a file called “Vodafone_MMS.jpg.exe” will execute and install malware onto your PC. As of now, our friends at VirusTotal claim that only 8 from 44 anti-virus engines they use identifies this malware strain.
The file copies itself to C:\Documents and Settings \All Users\svchost.exe and then hides under SunJavaUpdateSched to launch when Windows first boots. The suspicious actions of this malware include copying itself to other folder locations on your PC; creating autorun records (this means if you remove the malware, it could re-populate i.e in your system folder location – also see next point); and injecting code in other Windows processes (can be tricky to remove all the malicious objects). Thanks to the guys at Comodo for this analysis.
My advice, if you are a Vodafone customer (as you are most likely to click this – social engineering isn’t a new trick used by cyber criminals), delete this email from your Windows PC and don’t forget to delete it from any mobile devices that are using to receive email on too!
Safe surfing folks!