June 27, 2014

The mass mailing is one of the favorite ways criminals distribute malware. On June 26-27, 2014, Doctor Web's security researchers registered a large bulk of emails containing a dangerous Trojan. These emails were ostensibly sent by Amazon.

Since June 26, many users have been receiving fake, new order notifications, supposedly from this very well-known Internet company. The messages invite users to open an invoice attachment to access the details of their order. The message is written in English, and the text is the same in all currently known incidents. Only the order date and number vary:

The ZIP archive attached to the email contains the executable of BackDoor.Tishop.122 malware. Virus makers call this program Smoke Loader. This Trojan is designed to download other malicious applications onto an infected computer, and thus, systems lacking antivirus protection can be turned into bona fide malware menageries. After its launch BackDoor.Tishop.122 scans the environment for the presence of a "sandbox" or virtual machine, copies itself into a folder on the hard disk, adds its entry into the autorun section of the Windows Registry, and injects its code into a number of system processes. If the machine is connected to the Internet, the Trojan will attempt to download other malicious programs and run them on the infected computer.

Doctor Web urges users to exercise caution. Do not open email attachments from unknown senders, and do not try to view attached documents containing order information, unless you have actually ordered something in an online store. Such messages should be deleted immediately upon receipt. Dr.Web software successfully detects BackDoor.Tishop.122, so the Trojan poses no threat to systems protected with Doctor Web anti-viruses.