The antivirus gateway detected an interesting email this evening.
Envelope From: [email protected][edited]
From: cmplntscentercase[at]bbb.org
Originating IP 207.210.105.78 which is an IP address in Canada according to ARIN.
Subject: Complaint Case Number: 363619942 Joe User
(It contained the name of the recipient.)
File: Embedded inside the attachment complaint.doc in an exe ‘MicrosoftWordhasencounteredaproblemandthedocumentwasnotfullyloaded.Pleasedouble-clickontheicontoreloadmsword.exe’
There were multiple detections on this file:
W32/Heur-Dropper.gen.a-5e19-3e29
W32/Generic
Exploit/RTFEmbeddedExe
This email is similar to http://orwwa.bbb.org/release.html?value=61 from earlier this year. In that instance the users were tricked into clicking on a malicious link rather than conned into opening a viral attachment. According to this SANS diary entry, the link was to a EXE inside of a RTF document. So while the style of attack isn’t new, this email could indicate a new spam run of this virus.
Here’s a sunbelt blog entry on the same virus. In that blog entry Alex Eckelberry reports that the file downloads more malware, tightvnc and winrar. He also has the body of the message which confirms my suspicious based on the message subject that this is highly targeted.