Dell Customer Care sent me an infected file... not

Got spam & looks like an infected message today.   It's a phishing email that targets Dell Customers.

The content of message is obviously phished message (BTW, the message header says it is from customercare@dell.com) :

Dear Customer,

Thank you for ordering from our internet shop. If you paid with a credit card, the charge on your statement will be from name of our shop.

This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.

Date : 08 Oct 2006 - 12:40
Order ID : 37679041

Payment by Credit card

Product : Quantity : Price
WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99

Subtotal : 2,449.99
Shipping : 32.88
TOTAL : 2,482.87

Your Order Summary located in the attachment file ( self-extracting archive with "37679041.pdf" file ).

PDF (Portable Document Format) files are created by Adobe Acrobat software and can be viewed with Adobe Acrobat Reader.
If you do not already have this viewer configured on a local drive, you may download it for free from Adobe's Web site.  

We will ship your order from the warehouse nearest to you that has your items in stock (NY, TN, UT & CA). We strive to ship all orders the same day, but please allow 24hrs for processing.

You will receive another email with tracking information soon.

We hope you enjoy your order!  Thank you for shopping with us!

The compressed file doesn't contain a PDF file but an exe file, named "37679041.exe".  Sent the file for online scan and only few antivirus detected infection in the said file.

Virustotal:

AntiVir 7.2.0.25 10.09.2006 HEUR/Crypted
Authentium 4.93.8 10.09.2006 no virus found
Avast 4.7.892.0 10.10.2006 no virus found
AVG 386 10.10.2006 no virus found
BitDefender 7.2 10.10.2006 no virus found
CAT-QuickHeal 8.00 10.07.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 10.10.2006 no virus found
eTrust-InoculateIT 23.73.18 10.10.2006 no virus found
eTrust-Vet 30.3.3125 10.10.2006 no virus found
DrWeb 4.33 10.10.2006 no virus found
Ewido 4.0 10.10.2006 no virus found
Fortinet 2.82.0.0 10.10.2006 suspicious
F-Prot 3.16f 10.09.2006 no virus found
F-Prot4 4.2.1.29 10.09.2006 no virus found
Ikarus 0.2.65.0 10.10.2006 no virus found
Kaspersky 4.0.2.24 10.10.2006 no virus found
McAfee 4869 10.09.2006 no virus found
Microsoft 1.1603 10.10.2006 no virus found
NOD32v2 1.1796 10.10.2006 a variant of Win32/Haxdoor
Norman 5.80.02 10.10.2006 Suspicious_F.gen
Panda 9.0.0.4 10.09.2006 Suspicious file
Sophos 4.10.0 10.05.2006 no virus found
TheHacker 6.0.1.094 10.08.2006 no virus found
UNA 1.83 10.09.2006 no virus found
VBA32 3.11.1 10.09.2006 no virus found
VirusBuster 4.3.7:9 10.09.2006 no virus found

Jotti's Malware scan:

Scanner  Malware name
AntiVir  X
ArcaVir  X
Avast  X
AVG Antivirus  X
BitDefender  X
ClamAV  X
Dr.Web  X
F-Prot Antivirus  X
Fortinet  X
Kaspersky Anti-Virus  X
NOD32  X
Norman Virus Control  Text/BotFTP.gen
UNA  X
VirusBuster  X
VBA32  X

So guys - especially Dell Customers - don't execute or download such attachments.  I usually preview the emails from the server using Mailwasher Pro or ePrompter then I delete the bad emails from the server and simply download the good emails.  I didn't do this time because I'm in a testing mood.  If you aren't a tester, don't do it.

Update:  I submitted the said .exe file to Symantec.  The analysis of Symantec is: INFECTED and they named it as Backdoor.Haxdoor.R - http://www.symantec.com/security_response/writeup.jsp?docid=2006-101011-0842-99 

Discovered: October 10, 2006
Updated: October 10, 2006 03:04:03 PM GDT
Type: Trojan Horse
Infection Length: 55,436 bytes.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
If you are NAV users, you can download the rapid release at Symantec's FTP page (ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/symrapidreleasedefsi32.exe)  The said definitions contains all detections by Symantec including detection for the sample I sent to them today.  Detection will be available too via LiveUpdate Daily (today) and weekly liveupdate (tomorrow - Oct. 11)
Published Tuesday, October 10, 2006 12:46 PM by donna

Comments

Thursday, October 12, 2006 8:48 PM by dianne hayter

# re: Dell Customer Care sent me an infected file... not

good program, except why doesn't windows defendeer downloaded at the same time, update..it always looks as though my last defender scan was several days ago,Q>>
Wednesday, November 08, 2006 7:56 AM by Lina

# re: Dell Customer Care sent me an infected file... not

I just received the same fraud email.....was looking up a search of the item and came to your link...it helped me to see someone else got it to and it is DEFINITELY FRAUD. Thanks,
Wednesday, November 15, 2006 11:42 PM by Chris V Packe

# re: Dell Customer Care sent me an infected file... not

I received the file, purporting to come from Walmart I am a bit paranoid about security and my CA antivvirus removed the PDF attachment and replaced it with an annoncement of their own. Still, it does show how extremely important it is to keep security up to date. Thanks for the info on your site. It makes good reading. Cheers

Monday, November 27, 2006 5:05 PM by Donna's SecurityFlash

# Dell gave late security warning but ... that's better than never

I blogged last October 10th about the Dell fake email that contain an infected file. Dell finally warned

Thursday, November 30, 2006 12:30 PM by Max

# re: Dell Customer Care sent me an infected file... not

Like Linda said I got the email to and thought it was a virus so I googled it and well, looks like it was a fake email