An official looking e-mail from the IRS may be a virus
This morning I’m interrupting my E-mail address security series of articles to bring you some important information on a new e-mail threat.
The samples that we’ve seen so far are all e-mail messages from timothy.johnson@irs.gov, but I wouldn’t be surprised if this changes. The subject line and e-mail is very personalized, with the recipient’s organization name in the subject and body, and the actual recipient’s name in the “To” header.
From: Timothy Johnson
To: Mike Smith
Subject: Re : Tax Refund for Acme & Associates
Hi
I am sorry but in order for Acme & Associates to get a tax refund, all the fields must be completed.
Please complete the missing fields on the attached form and re-send it to me.
Thanks
Timothy Johnson
IRS Tax Refund Department
The e-mail message contains an attachment that is typically named tax_refund_form.zip approximately 302KB that contains a trojan horse installer named tax_refund_form.scr. At this time, the installer isn’t being identified by F-PROT or ClamAV.
The malware contains a compressed transparent proxy written in Delphi, based off of the proxy demo of Indy, an open source sockets library. It doesn’t appear to have any code that would allow it to spread, so it is appropriately called a trojan and not a virus. The program downloads and installs a windows root kit from other Web sites. This is likely a password stealing program being spread through e-mail by the malware’s author. It appears to be the same trojan that earlier this year was pretending to be from the Department of Justice regarding a complaint filed against “your company”.
Besides downloading additional malware from different web sites, it also pings web sites just to indicate successful installation. Two of the sites use XOOPS, and it’s likely that the malware writers are using vulnerabilities in this content management system and its plugins to host their malware and malware updates. Please don’t forget to keep your web applications up to date, including any third party plugins, to help prevent your web site from being a base of operations for these types of malware.
More importantly, don’t open e-mail attachments unless you’re expecting them and know what they are. If your organization hasn’t drilled this very basic security awareness into its workers’ heads, feel free to take the initiative and notify people of this and similar threats. Someone could also have just as easily called pretending to be from the IRS and asked you to fill out a form that they would e-mail you, and then followed it up by e-mailing you this malware. So also use some common sense backed by a little bit of paranoia.
If you opened this attachment, you may have seen a PDF file named FINAL_TBF2.pdf, which may convince you that by opening it, all you did was open a harmless PDF file. However, while you’re reading the PDF, the malware is likely being installed. If you’re concerned that you may have been infected, you can confirm this by looking for the following file, which is one of the first ones that is created.
\\WINDOWS\svchost.exe
This file after created is correctly identified by ClamAV as Trojan.Bancos-9296. Note that there are some legitimate files named svchost.exe in a Windows installation, but not directly inside the primary Windows directory. Legitimate svchost.exe files will usually be under \\WINDOWS\system32 or other locations.
If your workstation is infected, please quarantine your workstation and contact your current IT security incident response specialist that has expertise in removing malware, or use your commercial anti-virus product and contact your anti-virus vendor for assistance and assurance.
04/08/2008 Update: The “IRS complaint” e-mail isn’t anything new. It’s been going out around tax time for a couple years now, but many people who don’t know about it are still being fooled. I’m pasting a recent example. Although these vary, they are targeted and likely contain the same above trojan downloader.
From: Internal Revenue Service <complaintscenter1@irs.gov>
To: Smith, Mike A.
Subject: Complaint Filled against Mike Smith, Acme Inc. (Case id: #48B2EF)
Dear Mr. Mike Smith ,
A complaint has been filed against the company you are affiliated to, Acme Inc in regards to multiple unauthorized third party tax inquiries.
The complaint was filed by Mr. James Collins on 29/03/2008 and has been forwarded to the IRS and the US Department of Justice.
IRS Complaint Case Number: #48B2EF
Date: 29/03/2008
IRS Complaint with appropriate information attached.
You may find a copy of the original complaint and contact information for Mr. James Collins attached.
Disputes involving consumer products and/or services taxes may be arbitrated through the IRS. Unless they directly relate to the contract that is the basis of this tax dispute, the following claims will not be considered for arbitration:
Claims for personal injuries;
Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.
If an arbitration is required to settle the tax dispute, Internal Revenue Service offers binding arbitration service for disputes involving marketplace tax transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.
(c) 2008 Internal Revenue Service All Rights Reserved.
Note that the IRS has an SPF record, and enabling SPF filtering may be a good way to help stop these types of fraudulent and malware spreading e-mail messages. However, simple attachment filtering to remove .zip files and executables would also help remove the dangerous parts. Also, the IRS has indicated that it doesn’t initiate contact with tax payers by e-mail.
April 4th, 2008 at 11:19 am
I recived one of them this morning. I am very sharp about this he said tax refund for my company, number 1 mistake companies do not recieve tax refunds. 2nd mistake his first line was Hi, the government does not open any correspondence with Hi, Last mistake on this simple email is no IRS labels etc. I didn’t open this as I knew from jump something wasn’t right.
April 4th, 2008 at 11:22 am
Mark,
One of my users have recently received the message that you discribe above. She unzipped the file and opened it. It shows up as a form that is a legal case of California against AT&T. What should be my response to this attack to protect this user and our company?
April 4th, 2008 at 2:23 pm
Wendy,
I agree that the e-mail could have been written more professionally to be more convincing. Hopefully this is something that the malware authors keep getting wrong. Unfortunately, they still fool a lot of e-mail users.
Ross,
It does come with a PDF file called FINAL_TBF2.pdf, which it opens, which likely is pretty convincing to the average user that the only result was a PDF file being opened. The actual trojan installs as a service called WMSELService, but it may also install itself as a driver. I would recommend hiring a security response specialist, or contacting your anti-virus vendor for assistance.
April 4th, 2008 at 4:41 pm
I just received this email from one of my business accounts on Yahoo. I DID open the zip file but noticed the file was a .scr file of the Type ‘Screen Saver’. I’m running a virus scan as we speak but do you have any other advise for me. Please advise asap.
Thanks,
April 4th, 2008 at 4:41 pm
*Note - I did NOT run the .scr file.
April 4th, 2008 at 4:55 pm
Paulette,
You should be fine. Many people who receive viruses by e-mail that come in a zipped will get to the same point that you got to before they realize that what is inside the zipped archive doesn’t look very friendly. Luckily there are many users that realize that a .scr file is an executable (and not an IRS form). It’s also great that you’re not hiding file name extensions, so that you could see the .scr extension. After giving your IT department a chance to do any investigation necessary, I’d say go ahead and delete the e-mail and the attached file if you saved it to your computer. To see if you’re infected, one of the first files it installs is:
C:\\WINDOWS\svchost.exe
April 4th, 2008 at 5:31 pm
Thanks Mark,
Did find 2 files with the svchost.exe but it won’t allow me to delete one of them. Virus scan found nothing. How can I get this one file off my computer????
April 4th, 2008 at 5:35 pm
Paulette,
There are some legitimate files in a Windows installation named svchost.exe, but none at the path that I mentioned. You may find legitimate ones under \\WINDOWS\system32.
April 4th, 2008 at 6:32 pm
Thanks for posting this. I received the same message on Sunday. I didn’t open it, but I looked at the header and it appears that the IP address comes from Isprime.com. I sent an email to abuse@isprime.com. Does it do any good to report this, or am I just wasting my time?
April 4th, 2008 at 8:58 pm
It’s always a good idea to report e-mail borne malware and spam to the orginating IP address’s ISP. However, not everyone has time to do this, or the knowledge necessary to determine which IP address connected to their e-mail server or who to report it to. Luckily, it sounds like you do have that knowledge. Although it’s unlikely to lead to the culprit, it can slow down the spread of the e-mail and may even result in someone finding out that they had a security problem, as most of these are sent from compromised computers where the computer owner had no idea.
April 7th, 2008 at 4:08 pm
Our accounting person received exactly the same e-mail (with our correct company name filled in) on the afternoon of the 3rd. I was just informed about it this afternoon.
Symantec Antivirus Corporate Edition v8 didn’t detect it either. (I know, it’s from 2002- but the definitions still get updated- current definition file is dated 4/4/2008.) I scanned the .zip first, then opened it in 7-Zip and extracted the .scr file, and scanned that as well. No warnings.
It has the correct company name, and it’s addressed to the correct person at our organization- maybe a workstation inside the IRS is compromised and sending mail to people that agent has been in contact with? Maybe the agent’s name is Timothy Johnson…? It would make it more legitimate if people actually had contact with somebody by that name previously.
April 7th, 2008 at 6:14 pm
Thank you for taking the time to post this. I had this in my inbox 1 day after filing and was suspicious of it. I know better than to open attachments, but when you see IRS and taxes, you just want to do what needs to be done to make it go away:) Thanks again.
April 15th, 2008 at 3:41 pm
Hi,
I found your site because I opened a samilar e-mail with the company_report.zip file and now I am pretty sure it has infected my computer. IE is really slow and takes up 25% of the CPU process when I open it. There is a lot of svchost.exe processes. I have not been able to find anything removal tips. I found an artical at Symantec for Backdoor.Robofo, aka, TROJ_AGENT.AZZZ, but I am not so sure it is the same thing. I check the files and registry and didn’t see any of the entries suggested by symantec that Backdoor.bobofo would drop or modify.
any ideas?
April 15th, 2008 at 3:55 pm
OH, here is what the e-mail
From: jim.lanton@irs.gov [mailto:jim.lanton@irs.gov]
Sent: Tuesday, April 15, 2008 11:14 AM
To: Steven
Subject: Re:company report for ABC PLLC
——————————————————————————- (These lines were the IRS logo)
To : Steven
The report is attached.
You need to complete the fields about Watson & McDonell PLLC income.
Jim Lanton
IRS Fraud Department
© 2008 Internal Revenue Service All Rights Reserved.
April 16th, 2008 at 1:52 pm
Steven,
The removal requirements could vary. I would recommend hiring your local IT security response company with experience with removing viruses. If you still have a copy of the virus, it will be easier. You may also try a commercial anti-virus product and giving the vendor a call for assistance.
You may also want to see this presentation from Microsoft on advanced malware removal.
April 24th, 2008 at 11:04 am
My head Accountant recieved this messsage just minutes ago, nothing was opened or extracted but it is a concern of course, you would think my spam filter would have caught this…
May 18th, 2008 at 6:47 am
This spam mail is also active in The Netherlands!
July 2nd, 2008 at 1:38 pm
[…] Deeper research shows that it quite possibly might be a trojan horse that installs a virus; if you read the comments in the previous link, you’ll see different delivery mechanisms. Some are PDFs, some ZIP files, some DOCs. Regardless, it seems as if the object, regardless of its wrapper, installs some sort of malicious payload. […]
July 3rd, 2008 at 4:51 pm
Try uploading the file/attachment to this virus scanner:
http://www.virustotal.com