Over the weekend, one of ESET's executives had an interesting surprise in their mailbox: A complaint from the Better Business Bureau (BBB). ESET is a BBB member, so we periodically receive e-mail from them. In this case, though, the email was not a newsletter or membership renewal notification. The e-mail stated that a consumer had filed a complaint regarding our "business services." The interesting part of this e-mail is the following sentence: “Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this email.”

Users should always proceed with caution when dealing with embedded documents coming from unknown sources, but in this case, the message appeared to originate from the BBB, and Microsoft Outlook does not provide a convenient way to view message headers. The message and instructions were suspicious, so the executive forwarded it over to the research division for examination.

The file attached to the e-mail is a Microsoft Word document. Once opened, it looks like this: The document contains an embedded file called “Document_for_Case.pdf” and instructions telling the user to double click on the document to open it.

Malware authors often embed executable program files inside Microsoft Office documents to circumvent the security measures that are deployed at network gateways or on workstations. In this case, the Microsoft Word document contained an executable file displaying an Adobe Acrobat PDF icon. The “Document_for_Case.doc” file containing the embedded executable file is detected as TrojanDropper.Agent.NLN by NOD32.

When the file is run, the following error message is displayed:an error message saying that Adobe Reader was unable to open the document is displayed.

This is interesting because Adobe Reader was not installed on the computer used to open the document; so as you can imagine our researcher found this behavior is very suspicious! Before displaying this error message, the executable posing as a PDF downloads a file named “WUPDATE.EXE” to the C:WINDOWS directory (or other location specified by the %windir% environmental variable ) and runs it. “WUPDATE.EXE” is detected as TrojanDropper.Agent.NFC by NOD32.

In addition to posing as the Microsoft Windows Update program and installing itself in the C:WINDOWS folder, Agent.NFC modifies the registry to make sure it will be run every time the infected host is rebooted. This malware then steals information from Windows’ clipboard, Internet cookies and also monitors all data that entered into web forms. Every web site that is visited by a computer infected with this malware is also recorded. The information is stored to disk in and, at the time of writing, the collected information is sent to a server located in Malaysia.

This attack uses a very old technique of sending malicious software by e-mail but also uses an embedded document to increase the likelihood of bypassing filters at the mail gateway and on the desktop. Like any other phish, the message is meant to reinforce the credibility of the communication and motivate the user into launching the attached document file. We advise users receiving files by e-mail to call the sender to verify the authenticity and purpose of the file.

Pierre-Marc Bureau, Researcher