Beware overdue invoice malware attack, wrapped in an .ARJ file!

If you’ve been messing around with technology for a while, you may remember the good old days of acoustic couplers, ZModem, and Bulletin Board Systems (BBSes).

These were the days before the worldwide web had taken off, when even the slowest broadband speeds would have been sheer fantasy.

And because getting an online connection was slow and sometimes flakey, it wasn’t at all uncommon for techies to compress their programs and downloadable files into tight little packages, to make the download as painless as possible for users. The most famous compression tool of all was PKZip, created by the late Phil Katz, and versions of the .ZIP file format are still widely used today in some circles.

But there were other data compression tools which competed for .ZIP’s crown, each with their own loyal bands of followers. And one of the most famous was .ARJ.

And, to be honest, ARJ was pretty cool.

So you can imagine my delight when I discovered today that .ARJ wasn’t entirely forgotten and consigned to the dusty annals of history. Instead, it is still being used – albeit by malware authors…

Here is an example of a typical malicious email, spammed out by online criminals:

Example of overdue invoice malware

Subject: Overdue invoice #14588516
Attached file: invc_2014-09-15_7689099765.arj


I was hoping to hear from you by now. May I have payment on invoice #45322407834 today please, or would you like a further extension?

Best regards,
Mauro Reddin

Of course, the social engineering might have been a little better thought out. For instance, the invoice numbers quoted in the email don’t match each other.

But it’s easy to imagine how many users might be alarmed to hear that it is being suggested that they are being accused of a late payment, and would click on the attached .ARJ file without thinking of the possible consequences.

At that point the .ARJ file will decompress, spilling out its contents.

As Conrad Longmoore explains on the Dynamoo blog, inside the .ARJ archive file is an executable program – designed to infect your Windows computer.

Before you know it, your Windows PC could have been hijacked by a hacker and recruited into a botnet. Whereupon the remote attacker could command it to send spam on their behalf, launch denial-of-service attacks or steal your personal information.

That’s why you should always be wary of opening unsolicited files sent to you out of the blue via email.

The good news for users of ESET anti-virus products is that it is detected as a variant of Win32/Injector.BLWX. But if you are using a different vendor’s security product you may wish to double-check that it has been updated to protect against the threat.

Author Graham Cluley, We Live Security

  • Coyote

    2400 baud? Ah yes… anyway, as for archives, I much prefer tar being compressed with bzip2. Of course for tar I maybe prefer it for similar reasons to liking tarpitting (in computer security), but then again maybe not. Either way I have very fond memories of (and have some still) old hardware that most people nowadays would not even think possible let alone how it could have ever been enough. I remember to this day thinking how it was absurd to get a 1GB hard drive… how would I ever need that much space? Half of that was more than enough!

    As for arj, interestingly enough, amavisd (summary is given as: Email filter with virus scanner and spamassassin support) supports (and has for a long time) arj archives, to scan mail. So I’m not really surprised here. I’d be the same for any other older archive types (perhaps because I run my own servers, mail included). And yes, the scams like these are beyond pathetic (in execution and design) but unfortunately all it takes is to hit one vulnerable person and they have enough reason to continue it.

    One thing on your post: “That’s why you should always be wary of opening unsolicited files sent to you out of the blue via email.”

    I would extend this to be: unless you actually were told in advance and or you requested it, you should not. And even if those are true you should STILL be careful; what if someone tells you they discovered this really impressive – let’s use another old example target file type – screensaver… but they don’t realise it was also a trojan horse? Then where are you?

Follow us

Copyright © 2017 ESET, All Rights Reserved.