Fake Better Business Bureau Complaint Email
May 19th, 2012 by Kevin Zoll
!!! MALWARE ALERT !!!Emails with the subject of BBB assistance Re: Case # 54758388, contain an attachment that is malicious in nature. Recipients are advised to DELETE the email immediately upon receipt. Do NOT click on any links contained in the email. Do NOTdownload the attachment, open it or run the executable file contained in the attachment.If you are a victim of such a scam contact the Internet Crime Complaint Center.
This is a scam – the Better Business Bureau does not send complaints as attachments via email.
The email appears to come from a fake Better Business Bureau employee claiming that the recipient needs to review this matter and advise the Better Business Bureau of their position. This email is fraudulent and does not originate from the Better Business Bureau. The email attachment is malicious and you are strongly advising to not open the attachment.
Should you receive such an email, please disregard its message, and report any information received to Better Business Bureau’s Scam Portal, and then delete it. If you have downloaded the attachment and ran the executable file, immediately do a virus scan.
Technical Details:
Email Header Information
Return-Path: <ameliaajr16@eurobiobiz.com>
Delivery-Date: Fri, 18 May 2012 22:05:51 -0400
Received-SPF: pass (mxus3: domain of eurobiobiz.com designates 113.220.129.145 as permitted sender) client-ip=113.220.129.145; envelope-from=ameliaajr16@eurobiobiz.com; helo=[113.220.129.145];
Received: from [113.220.129.145] ([113.220.129.145])
by mx.perfora.net (node=mxus3) with ESMTP (Nemesis)
id 0MSN0N-1SgAog1iJf-00TgL5 for spd@malwareteks.com; Fri, 18 May 2012 22:05:51 -0400
Received: from [209.135.16.52] (account beautify04@anbid.com.br HELO cjgpntrcmacxmq.pccnyhpa.ru)
by (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 683923474 for spd@malwareteks.com; Sat, 19 May 2012 09:51:28 +0800
Date: Sat, 19 May 2012 09:51:28 +0800
From: “Better Business Bureau” <info@bbb.org>
X-Mailer: The Bat! (v2.00.18) Business
X-Priority: 3 (Normal)
Message-ID: <6342072830.A7MMH2LF793378@yioawrtrkn.efqjsmuivrbkw.ua>
To: <REDACTED>
Subject: BBB assistance Re: Case # 54758388
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”———-2355B0B33809B4″
X-UI-Loop: V01:2WIZ9csPR2c=:KbEFb2Gd6Zv+sEwd0RzNpclwJwlj1+BXYtFGXHAyBz8=
X-UI-Junk: AutoMaybeJunk +0 ();
V01:gGs4UThv:oKC1iUFVx7qqkU7vaWNd3GCC51ue2RLhb8FslSggE/7EjzCZU83
gUyMyltaeFv2Gu6NSKrpqronaIkdl+ncWhqVFANKZ76ssylHCYWTXuyPPd7n+1zu
s94IoBMIFzTRsw6sde//EfNCoV0aPSerjWtG7iUleojnj268AbOmsh9tO3Gr5WGB
jG5Rbd9zzFYOl
Envelope-To: <REDACTED>
Delivery-Date: Fri, 18 May 2012 22:05:51 -0400
Received-SPF: pass (mxus3: domain of eurobiobiz.com designates 113.220.129.145 as permitted sender) client-ip=113.220.129.145; envelope-from=ameliaajr16@eurobiobiz.com; helo=[113.220.129.145];
Received: from [113.220.129.145] ([113.220.129.145])
by mx.perfora.net (node=mxus3) with ESMTP (Nemesis)
id 0MSN0N-1SgAog1iJf-00TgL5 for spd@malwareteks.com; Fri, 18 May 2012 22:05:51 -0400
Received: from [209.135.16.52] (account beautify04@anbid.com.br HELO cjgpntrcmacxmq.pccnyhpa.ru)
by (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 683923474 for spd@malwareteks.com; Sat, 19 May 2012 09:51:28 +0800
Date: Sat, 19 May 2012 09:51:28 +0800
From: “Better Business Bureau” <info@bbb.org>
X-Mailer: The Bat! (v2.00.18) Business
X-Priority: 3 (Normal)
Message-ID: <6342072830.A7MMH2LF793378@yioawrtrkn.efqjsmuivrbkw.ua>
To: <REDACTED>
Subject: BBB assistance Re: Case # 54758388
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”———-2355B0B33809B4″
X-UI-Loop: V01:2WIZ9csPR2c=:KbEFb2Gd6Zv+sEwd0RzNpclwJwlj1+BXYtFGXHAyBz8=
X-UI-Junk: AutoMaybeJunk +0 ();
V01:gGs4UThv:oKC1iUFVx7qqkU7vaWNd3GCC51ue2RLhb8FslSggE/7EjzCZU83
gUyMyltaeFv2Gu6NSKrpqronaIkdl+ncWhqVFANKZ76ssylHCYWTXuyPPd7n+1zu
s94IoBMIFzTRsw6sde//EfNCoV0aPSerjWtG7iUleojnj268AbOmsh9tO3Gr5WGB
jG5Rbd9zzFYOl
Envelope-To: <REDACTED>
Email Body
Dear Sirs,The Better Business Bureau has received the above mentioned complaint from one of your associates in respect of their dealings with you.
The detailed information about the consumer’s concern is explained in enclosed document.
Please examine this matter and advise us of your standpoint.
We kindly ask you to open the ATTACHED REPORT to reply this complaint.We look forward to your urgent reply.Faithfully yours,
The detailed information about the consumer’s concern is explained in enclosed document.
Please examine this matter and advise us of your standpoint.
We kindly ask you to open the ATTACHED REPORT to reply this complaint.We look forward to your urgent reply.Faithfully yours,
Paula Tap
Dispute Counselor
Better Business Bureau
Email Attachment: BBB abuse.zip
SIZE: 40.0 KB (40985 bytes)
MD5: BCBACFD214EA6B951419C488548646EA
SIZE: 40.0 KB (40985 bytes)
MD5: BCBACFD214EA6B951419C488548646EA
VirusTotal Results
| Antivirus | Result | Updated |
|---|---|---|
| AhnLab-V3 | Win-Trojan/Kuluoz.55296 | 20120519 |
| AntiVir | – | 20120518 |
| Antiy-AVL | – | 20120519 |
| Avast | Win32:Dropper-gen [Drp] | 20120519 |
| AVG | – | 20120519 |
| BitDefender | Trojan.Generic.KDV.627249 | 20120519 |
| ByteHero | – | 20120518 |
| CAT-QuickHeal | – | 20120518 |
| ClamAV | – | 20120519 |
| Commtouch | W32/Trojan2.NRGZ | 20120519 |
| Comodo | Heur.Suspicious | 20120519 |
| DrWeb | BackDoor.Andromeda.22 | 20120519 |
| Emsisoft | Trojan.Win32.Jorik!IK | 20120519 |
| eSafe | – | 20120516 |
| eTrust-Vet | – | 20120517 |
| F-Prot | W32/Trojan2.NRGZ | 20120519 |
| F-Secure | Trojan.Generic.KDV.627249 | 20120519 |
| Fortinet | W32/Jorik_Androm.JO!tr | 20120519 |
| GData | Trojan.Generic.KDV.627249 | 20120519 |
| Ikarus | Trojan.Win32.Jorik | 20120519 |
| Jiangmin | – | 20120519 |
| K7AntiVirus | – | 20120518 |
| Kaspersky | Trojan.Win32.Jorik.Androm.jo | 20120519 |
| McAfee | – | 20120519 |
| McAfee-GW-Edition | – | 20120519 |
| Microsoft | Worm:Win32/Gamarue.I | 20120519 |
| NOD32 | Win32/TrojanDownloader.Wauchos.A | 20120519 |
| Norman | – | 20120519 |
| nProtect | – | 20120519 |
| Panda | – | 20120519 |
| PCTools | – | 20120519 |
| Rising | – | 20120518 |
| Sophos | Mal/EncPk-ZC | 20120519 |
| SUPERAntiSpyware | – | 20120519 |
| Symantec | – | 20120519 |
| TheHacker | – | 20120519 |
| TrendMicro | – | 20120519 |
| TrendMicro-HouseCall | – | 20120519 |
| VBA32 | – | 20120518 |
| VIPRE | Trojan.Win32.Generic!BT | 20120519 |
| ViRobot | – | 20120519 |
| VirusBuster | – | 20120519 |
| MIMEType……………..: application/zip |
| ZipRequiredVersion…….: 20 |
| ZipCRC……………….: 0xbdd9215c |
| FileType……………..: ZIP |
| ZipCompression………..: Deflated |
| ZipUncompressedSize……: 55296 bytes |
| ZipCompressedSize……..: 40825 bytes |
| ZipFileName…………..: BBB abuse.exe |
| ZipBitFlag……………: 0 |
| ZipModifyDate…………: 2012:05:18 23:11:23 |
Facebook Comments