New Email Attack - Copyright Lawsuit filed against you

This new attack should be avoided, as there is an embedded EXE inside the RTF based document. Most lawsuits are filed using certified mail
 
 New Email Attack - Copyright Lawsuit filed against you
 http://isc.sans.org/diary.html?storyid=8497
 http://isc.sans.org/diary.html?storyid=8500
 
 QUOTE: An email is being sent out warning the recipient of a "Copyright Lawsuit filed against you." We received a copy here and a number of .EDUs have reported it's receipt. It looks something similar to:
 
 March 24, 2010
 Crosby & Higgins
 350 Broadway, Suite 300
 New York, NY 10013
 
 To Whom It May Concern:
 
 On the link bellow is a copy of the lawsuit that we filed against you in court on March 11, 2010. Currently the Pretrail Conference is scheduled for April 11th, 2010 at 10:30 A.M. in courtroom #36. The case number is 3485934. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infrigement that our client Touchstone Advisories Inc is a victim of Copyright infrigement. Touchstone Advisories Inc has proof of multiple Copyright Law violations that they wish to present in court on April 11th, 2010.
 
 Sincerely,
 
 Mark R. Crosby
 Crosby & Higgins LLP
 
 The law-firms named in the email, header, and sending server all appear to be a mish-mash of existing firms. If a user clicks on the link and opens the document it will attempt to download additional payload. Currently only a few AV solutions detect the initial document
 
 Getting the EXE out of the RTF again
 http://isc.sans.org/diary.html?storyid=8506
 
 QUOTE: Since we got some mails from readers who had trouble getting the malware extraction technique to work on yesterday's malicious "copyright lawsuit" sample , here's a quick walk-through again on how to carve an EXE out of a DOC or RTF file.