INCA Internet response team detected malicious e-mail disguised as sent by WHO(World Health Organization). This e-mail contains malicious file. This e-mail can be shown as information of Truvada's PDF file, one of treatments of HIV, during the pregnancy. Human immunodeficiency virus (HIV) is a lentivirus (a member of the retrovirus family) that causes acquired immunodeficiency syndrome (AIDS), a condition in humans in which progressive failure of the immune system allows life-threatening opportunistic infections and cancers to thrive.
2. Spreading cases
Malicious e-mail used its sender's mail address for WHOupdates@doctor.com, which induces user to see information, and its file name and title are disguising as Truvada's.
E-mail title : effects of HIV prevention pills(TRUVADA) in pregnancy
Attachment : truvada pills in pregnancy.scr
"truvada pills in pregnancy.scr" has its extension as SCR(Screen Saver) though, it is executable file. Its icon is shown as PDF which can make user confused unless extension hiding option.
Upon executing, it will create certain folder below "Application Data" and certain malicious file.
Created file is Zeus Bot malicious file and tries to target online banking user.
Spreading malicious file with e-mail is very traditional. But a lot of users are still trying to open its attachment and being infected. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.