In the last 4 days or so I have received about 45 emails and counting purporting to be from someone who scanned documents using a Xerox scanner. Although they are not originating from Xerox or their equipment spammers are using their name to breed some familiarity with users to fool them into executing the attachment.
The emails have some slight variations but this is the basic format of what I am seeing:
Please open the attached document. It was scanned and sent to you using a Xerox
WorkCentre Pro.Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]WorkCentre Pro Location: machine location not set
Device Name: XRX3412AA7ACDB46538211For more information on Xerox products and solutions, please visit
http://www.xerox.com
The attachment also contains a variation of the name XeroxNXXXXXX.zip with XXXXXXX being a random number. Opening the attachment reveals a executable file named Xerox__Doc.exe.
I submitted a sample of this code to the Microsoft Malware Protection Center via their online submission form. They reported back that the Xerox_Doc.exe contained the Win32/Malagent Trojan. The MMPC reports the latest definitions for Microsoft anti-malware software will detect the trojan.
So make sure you have everything updated and be smart and do not execute these types of attachments even with updated signatures.
Have you seen this malware attempt yourself?
