my new photo, my photo , my new pfoto 😉 or mi nueva foto 😉 ( with or without the smiley face) are the typical subjects in this long running malware campaign. These emails which pretend to come from various girls names including Yulia <random firstname.lastname@example.org> or from Julia, Julia Love, Angelina, Jessica or Anna is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. The malware inside the zips on these emails are generally identified as Androm or Gamarue or Wauchos depending on which antivirus you have installed. It obviously takes a few hours or even a day or more for the antivirus companies to catch up with new versions so some users get infected
Update 30 August 2014: All of today’s new version of this malware are pretending to come from Julia Love and using the domain of wordcastaccountings.com < random name @wordcastaccountings.com >
Update 6 September 2014: We are also seeing numerous different versions of this email written in Spanish and in English pretending to come from Julia Love with a load of different malware versions being attached. The malware changes about 3 times every day, but always has the same file name photo.zip which so far has always extracted to a folder containing photo.exe
Update 17 September 2014: A big new run today. The “senders” are being changed to lots of different names, but all are girls names and all with a last name of Love. So far I have seen: Julia Love, Sarah Love, Mary Love, Lucy Love and I am sure we will see loads of others later on.
Update 19 September 2014: Today and yesterday we started to see these my new photo pretending to come from somebody just called Emily as well as the lot coming from Julia Love and all the other Love family
Update 17 October 2014: Today’s version pretends to come from a girl called Anna but has the usual photo.zip attachment which extracts to the usual photo.exe and has a current virus total rate of 3/53
Update 29 October 2014: Today’s version pretends to come from a girl called Jessica or Jessica Alba. The email looks the same as usual, but the attachment is a plain .exe file that is not in a zip so hopefully should be blocked for a high proportion of users automatically. my_photo_holiday_my_ass_7786868767878.exe Current VirusTotal detections 8/54
Update 30 October 2014: Back to a zip file today from a girl called Jessica. Zip is named iphone_photo.zip extracts to iphone_photo.exe with a virus Total detection rate of 2/53
Update 6 November 2014: Today’s offering pretends to come from either Jessica or Anna with a zip iphone_photo.zip with a virus Total detection rate of 16/53
Update 13 November 2014: Today’s offering still coming from Jessica or Anna with iphone_photo.zip which extracts to iphone_photo_my_love_7263487.exe with a virus Total detection rate of 1/51
Update 14 November 2014: Today’s offering still coming from Jessica or Anna with iphone_photo.zip which extracts to iphone_photo_my_id_748567834657834.exe with a virus Total detection rate of 1/54
Update 18 November 2014: Today’s offering still coming from Jessica or Anna and now today Angelina with 3 new versions of this malware both zips named iphone_photo.zip. one which extracts to iphone_photo_my_787398.exe with a virus Total detection rate of 10/54 Second version iphone-photo_my_kiss3747385.exe 1/55 3rd version mi_foto.exe 1/55
Update 18 November 2014: Today they are coming from Angelina with a return to the old naming format my_photo.zip extracts to my_photo.exe virus Total detection rate of 1/55 The content now reads
my new pfoto 😉
Second version today says mis fotos en busca de amigos or Mi photo, Busco a de amigos que hablan espanol and comes from Angelina or Jennifer . my_photo.zip extracts to mi_photo.exe virus Total detection rate of 5/54
Update 20 November 2014: Today has a zip with 2 files inside 1my_photo.exe 6/54 and 2my_photo.jpg 0/54 The alleged jpg file isn’t a jpg but has the headers for a chrome webcontainer file which isn’t recognized by most image programs. I am assuming that when an unwary user opens/runs the .exe file they will see the image that is supposedly contained in the fake jpg and not think that they are being infected. The image will open in google chrome but not any other browser or image program, that I have on my computer.
Update 1 December 2014: Today they have reverted to my_photo.zip which extracts to 2 files inside 1my_photo.exe 3/56 and 2my_photo.jpg ( the jpg is a google webp image that doesn’t display in windows by default)
Update 9 December 2014: Today the emails all pretend to come from some one called Allisa, Jessica or Anna random names @backrecordschedule.com The subject says Hey Virus Total detection 4/52. Although all the emails pretend to come from backrecordschedule.com they are not and are being sent by compromised web servers and computers from all round the world.
Update 10 December 2014: Today they are using the typical my_photo.zip attachment but have reverted to an earlier style of executable file naming convention and don’t appear to be including the google webP jpg image in the zip my_photo_home_38472398472398749283.exe Virus Total detection 7/56
Update 12 December 2014: As well as the typical my_photo.zip there is also a second version spreading with a slight change today Subject reads Our photo and the attachment IMG_02439_12_12_2014 jpeg .zip extracts to IMG_03541_12_12_2014 jpeg .exe Virus Total detection 3/56
Update 19 December 2014: As well as the typical my_photo.zip there is also a second version spreading with a slight change today Subject and body content reads Hola mi foto and the attachment my .zip extracts to my_ass_foto_2347329847893274823798.exe Virus Total detection 0/46
Update 16 January 2015: Today’s version is hola mi foto 🙂 from Marry with myphoto.zip extracts to my_photo_74324873289478934723987489237498237894324.exe Virus Total detection 1/57 Today’s version is me new photo from Juliya with myphoto.zip extracts to my_photo_48378957348957489375893475893.exe Virus Total detection 3/57
Update 30 January 2015: Me new photo 😉 or Hola mi foto coming from Marry or Juliya and all coming from random names @supernatuaralworks.com with a plain exe file that isn’t zipped so should be blocked by most email clients. my_new_photo_4327489327498237498239.exe
Update 9 February 2015: Today’s version is me new photo coming from Jessica and a change to usual email and now reads Hi me new photo download photo which is a direct link to the .exe file my_new_photo_832748973284732847839278237.exe Which is the same malware as today’s FedEx Postal Notification Service – malware
Update 20 February 2015: The last couple of days the malware with these emails has changed. Until now they have been dropping Androm malware but now they are dropping Trojan.Win32.Fsysna/Folyris. Which is a keylogger and banking Trojan | Virus Total |
Sent from my iPhone
Update 15 May 2015: over the last few days there has been a slight change to this long running malware spreading campaign. The subject now reads My photo, my pussy and the body looks like
Mmy new photo pussy , send u photo
All of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
These all have the same subject of my new photo and come from somebody called yulia and today (29 August 2014) all pretend to come from same domain madmimi.com
my new photo 😉
if you like my photo to send me u photo
Alternative version in Spanish
mi nueva foto;)
si te gusta mi foto para enviarme la foto de u
29 August 2014: photo.zip ( 23kb): Extracts to photo.exe Current Virus total detections: 2/55
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive photos, PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.
A typical user who has not configured windows to show known file extensions will see something like this when they open the zip file. You do not know what is an image and what is an executable file.
Somebody who has configured windows to show known file extensions will see something like this when they open the zip file. You can now see what is an image and what is an executable file .
What makes this particular malware version harder to protect against is the use of the new Google WebP format for the real image in the zip file. Windows and the majority of windows imaging programs will not display webP images without a special plugin or codec installed on the computer. If you use Google chrome as your browser ( and newer versions of Opera) and set images to open in a browser, then you do see a picture, otherwise all you see is then typical jpg icon.
What the bad guys are hoping is that a user won’t be able to open the “jpg” and consequently click on the .exe file thinking that is also an image file .