Last Updated: 2010-03-25 13:30:36 UTC
by Kevin Liston (Version: 1)
An email is being sent out warning the recipient of a "Copyright Lawsuit filed against you." We received a copy here and a number of .EDUs have reported it's receipt. It looks something similar to:
March 24, 2010
Crosby & Higgins
350 Broadway, Suite 300
New York, NY 10013
To Whom It May Concern:
On the link bellow is a copy of the lawsuit that we filed against you in court on March 11, 2010.
Currently the Pretrail Conference is scheduled for April 11th, 2010 at 10:30 A.M. in courtroom #36.
The case number is 3485934. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infrigement that our client Touchstone Advisories Inc is a victim of Copyright infrigement
Touchstone Advisories Inc has proof of multiple Copyright Law violations that they wish to present in court on April 11th, 2010.
Mark R. Crosby
Crosby & Higgins LLP
The law-firms named in the email, header, and sending server all appear to be a mish-mash of existing firms.
If a user clicks on the link and opens the document it will attempt to download additional payload.
Currently only a few AV solutions detect the initial document: http://www.virustotal.com/analisis/9b762ff9d2103022bf1476f2c55db91475f31526522716e827875801f92a0d87-1269486837
Following Daniel's process (http://isc.sans.org/diary.html?storyid=6703) one could extract the executable and determine what it's up to.
It appears to reach out to 18.104.22.168:80 to make a request similar to: