A change in behaviour today from the usual spam malware runs we have been having .
email received pretends to come from FedEx Fedex Shipping confirmation – verify your identity now! An alternative subject is : Package for you
Following the link leads you to this page
Where you are asked to “Download our verification manager program – called FVM®: Click here to download!”
when you download the tool, if you are stupid enough or unwary enough to run it, it will steal your windows address book and no doubt install more malware on your computer
file name: FVM_manager.exe
Current Virus total detections: 1/49 https://www.virustotal.com/en/file/5fed1ddc5e4314d6459bc8d3c3bd321cdbc669cd313bf86e278274d0927c2f3f/analysis/
MALWR Auto Analysis: https://malwr.com/analysis/NzBmNmFiNTZhODVhNDg0ZmE2YmFhZTI4NDJmNjliZjY/
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware
Hopefully many users will be protected automatically from this attack by Windows itself. Many of the emails contain a link to http://honbattle.com/989472 or http://ourgplus.at/96682 which forwards you to http://22.214.171.124/fedex.html?yjjdvqku or http://126.96.36.199/fedex.html?waqcaicq which in turn bounces you to https://188.8.131.52/fedex.html?yjjdvqku or https://184.108.40.206/fedex.html?waqcaicq ( the characters after the ? are variable and change ) Now in Internet Explorer 10 (at least) the final https: site comes up as this image ( page cannot be displayed) However it displays properly in Firefox and Chrome
For a change I am thankful for the bugs features in Microsoft’s Internet Explorer that is preventing these pages from displaying, so saving thousands of users from this attack.
Addendum: 12 December 2013 Even though these emails are still being spammed out, there is a new campaign that has gone back to the open the attached zip file to get the documents to verify