[Warning] Malicious e-mail disguised as Truvada used for the treatment of HIV.

1. Introduction

INCA Internet response team detected malicious e-mail disguised as sent by WHO(World Health Organization). This e-mail contains malicious file. This e-mail can be shown as information of Truvada's PDF file, one of treatments of HIV, during the pregnancy. Human immunodeficiency virus (HIV) is a lentivirus (a member of the retrovirus family) that causes acquired immunodeficiency syndrome (AIDS), a condition in humans in which progressive failure of the immune system allows life-threatening opportunistic infections and cancers to thrive.

2. Spreading cases

[Warning] Malicious e-mails disguised as e-bill are spreading
http://en-erteam.nprotect.com/2012/07/warning-malicious-e-mails-disguised-as.html

Malicious e-mail used its sender's mail address for WHOupdates@doctor.com, which induces user to see information, and its file name and title are disguising as Truvada's.

E-mail title : effects of HIV prevention pills(TRUVADA) in pregnancy
Attachment : truvada pills in pregnancy.scr

"truvada pills in pregnancy.scr" has its extension as SCR(Screen Saver) though, it is executable file. Its icon is shown as PDF which can make user confused unless extension hiding option.

Upon executing, it will create certain folder below "Application Data" and certain malicious file.

Created file is Zeus Bot malicious file and tries to target online banking user.

3. Summary

Spreading malicious file with e-mail is very traditional. But a lot of users are still trying to open its attachment and being infected. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.