Bill.zip virus
Click here to read more about SpamStopsHere, the e-mail security company that brings you this blog.
We started seeing a virus that simply says in the subject line “Bill for username” where username is the username part of your e-mail address, such as username@example.com, with a virus attached named “bill.zip”.
The e-mail message reads:
Hello username, the bill is attached. Password is 123.
Upon analysis, this appears to be the same virus as spread in the forged CNN and MSNBC news alerts from August. The virus is installed as a service named “CbEvtSvc”, which typically runs from a file located at “C:\WINDOWS\system32\CbEvtSvc.exe”.
A long time ago, it became common place for viruses to arrive in password protected zip archives, with a random password in the body of the e-mail message in plain text or in an image. This distribution mechanims was actually working for the virus authors, and getting past many anti-virus products that couldn’t open up the archive.
However, the anti-virus engines caught on and just marked all password protected zip files as suspicious. Additionally, the password protection prevents many users from executing the file, just because it’s an extra step or due to ignorance on how to unzip the virus.
It’s no longer practical for virus authors to send out a virus in a password protected zip file, and these messages don’t even appear to use different random passwords. The new form of this e-mail borne virus is very unoriginal compared to the previous fake news alerts. I have to wonder if the virus writers are simply bored or have thrown in the towel.
This virus is being identified by Microsoft as TrojanDownloader:Win32/Chepvil.H, and by f-prot as W32/Trojan3.AY.