INCA Internet response team detected malicious file disguised as of VISA card. In case of this e-mail is usually being sent for overseas users. Not only for this, invoice information of global logistics company, request of changing password on certain web site including SNS, e-ticket and attachment of fake image file are booming for same purpose. In general, we have our credit card and VISA is one of famous brand of credit card, therefore; we might become potential victims.
Besides, this kind of e-mail can be sent as SPAM mail and infected PC can be another host for sending same mail.
2. Spreading path and symptom of infection
This malicious file can be spread via attachment on e-mail and contains VISA related contents, its sender name is from LinkedIn. If a user who use both LinkedIn and VISA card service, potential risks will be higher.
E-mail is as following
LinkedIn Password (firstname.lastname@example.org) -> Fake address
Attachment(VisaCard-N47619822.zip) contains malicious "VISA_ID48832743.exe" and its icon looks like MS Word file.
Upon executing "VISA_ID48832743.exe", user will be infected by malicious file and creates its clone on [Application Data] and execute.
And then, it will run normal "Explorer.exe" and try to access certain hosts. Finally it performs various malicious behaviors by C&C server.
Following figure shows accessing status.
Various cases of installing malicious files with disguised as credit card or normal notices from certain company are continuously detected. Therefore, users need to be careful from these security threats. To
use PC safely from security threats of these malicious attachments, we recommend
you download latest security updates and obey following "Security management
tips" for general users.
Internet (Security Response Center / Emergency Response Team) runs responding
system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats
various variant files.
Free installation link of nProtect
AVS : http://avs.nprotect.com/