November 28, 2012Dancho Danchev By Dancho Danchev

Cybercriminals impersonate Vodafone U.K, spread malicious MMS notifications

Over the past couple of days, cybercriminals have launched yet another massive spam campaign, once again targeting U.K users. This time, they are impersonating Vodafone U.K, in an attempt to trick its customers into executing a bogus MMS attachment found in the malicious emails. Upon execution, the sample opens a backdoor on the affected hosts, allowing the cybercriminals behind the campaign complete access to the affected PC.

More details:

Sample screenshot from the spamvertised email:

Sample detection rate for the malicious attachment: MD5: 3ce2b9522a476515737d07b877dae06e – detected by 36 out of 44 antivirus scanners as Trojan-Downloader.Win32.Andromeda.coh.

Upon execution, the sample creates %AllUsersProfile%svchost.exe on the host. It also creates a Registry Value – [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] -> SunJavaUpdateSched = “%AllUsersProfile%svchost.exe” so that svchost.exe starts evert time Windows starts.

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button


  1. […] We intercepted a similar campaign last year, indicating that, depending on the campaign in question, cybercriminals are not always interested in popping up on everyone’s radar with persistent and systematic spamvertising of campaigns using identical templates. Instead, some of their campaigns tend to have a rather short-lived life cycle. We believe this practice is entirely based on the click-through rates for malicious URLs and actual statistics on the number of people that executed the malicious samples. […]

  2. […] tricking them into executing an attachment. According to Dancho Danchev over at security firm Webroot’s Threat Blog, once clicked the attachment will allow an attacker full access to the infected […]