Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

Criminals fake Amazon.com to send malicious spam

October 24, 2012

Doctor Web is warning users about malicious spam, allegedly from Amazon.com, that has been spreading widely since October 22. These messages prompt the recipient to download a license for Microsoft Windows; however, by clicking on the link, the user infects the system with two malicious programs simultaneously (Trojan.Necurs.97 and BackDoor.Andromeda.22). They stand by for the criminals’ command to smuggle other malware onto victim machines.

The fake messages have the subject "Order N" (with “N” being a random number) and incorporate the following text:

Hello,

You can download your Microsoft Windows License here.

Microsoft Corporation

Each message contains a link to a web page featuring a script that redirects the visitor to another website. A JavaScript file loaded from the site is used to download two malicious programs: BackDoor.Andromeda.22 and Trojan.Necurs.97.

Trojan.Necurs.97 is capable of self-replication and infects removable drives and shared network resources. When launched, the Trojan horse creates an executable file and makes changes to the Windows registry so that the file is launched at Windows startup. Then the Trojan searches the memory for running processes of Internet Explorer and Mozilla Firefox, and if successful, attempts to inject its code into them. After that Trojan.Necurs.97 attempts to copy itself to all available removable drives as a file with a random name, and creates an autorun.inf file in the drive's root folder to be launched automatically every time the device is plugged into a computer.

Trojan.Necurs.97 connects to remote servers controlled by attackers, reports its successful installation in the infected system, and waits for commands which include commands to download different applications to the compromised system and transfer files from the system to a remote host.

Doctor Web advises users to be careful and refrain from clicking on links in emails from unknown senders.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040