This morning we saw several spam runs in the country of Denmark. The messages are in Danish and they are sent to Danish e-mail addresses.
The e-mail claims to be from us. It's not.
Here's what the e-mail looks like:
From: email@example.com Date: 26. August 2008 08:31 Subject: Data er tillagt og sendt med denne meddelelse.
Data er tillagt og sendt med denne meddelelse.
Jeg bruger gratis F-secure antispamversion, som allerede har fjernet 338 spambreve.
Antispam er helt gratis for private brugere.
The attachment contains a file called update26.08.2008.exe, which, when run, drops a file called dcbcg.exe (Unker related trojan) that connects to a server in Ukraine.
We detect this trojan as Trojan:W32/Agent.FVO. More information in the virus description.
The spam run must have been fairly large, as we've received more than 13,000 bounces to firstname.lastname@example.org from non-existent e-mail addresses alone.
Watch out and pass the word.
Update: Agent.FVO is a downloader.
Yesterday, its C&C server was quiet so there were no additional components for download. Today, the C&C server is pushing out a BZub variant which has been detected as Trojan-Spy.Win32.Bzub.fbm since our 2008-08-25_07 database update.
BZub is a trojan-spy interested in banking details.