Guess you all have seen this bad joke. The language in the email is bad enough to be funny.

"Hey We have hijacked your baby but you must pay once to us $50 000. The details we will send later...

We has attached photo of your fume"

Norton tells me that a Downloader is in the zipped attachment.

did you figure out what a fume was in that context?

perhaps it was funny, but I am so tired of these idiots, their stupidity doesn't make me laugh anymore.

It's clever... I guess. I laughed when I saw that message, but it made me cringe, because there are probably some people that will fall for it.

It's the MultiDropper-ZIP... so says McAfee, but what's scarey is that 1/3 of the scanners tested in this link did NOT catch it: http://www.dozleng.com/updates/index.php?showtopic=16448

That is scary!

Oh yeah, it is - and that example was taken from relatively late in a spam run I would say, after VirusTotal had promulgated the example to the AV providers who were not catching it at inception. Different cases (the fake invoice/contract/eTicket ... etc. ones) but, maybe due to timezone, I quite often see things which only score 5-6/36 detections through VirusTotal. In one case I was the first to submit the virus file (it still scored 5/36). They morph the things continually to keep on top of the detection engines, just part of their 'toolkit'. Rescanning the file later will result in more detections as more and more AV providers accept the 'new' signature.

Still, it's a tad concerning that even late in the spam run, some of the AVs don't catch it.

Yes, yes, I agree ... underlines the point that even those who know the risks need to stay on their toes and those who don't will not stand a chance in the long term. That's why there's so many 'bots.

Heh - the type of attempted trojan drop I'm currently seeing is a zipped attachment in an email sent to one addressee in the business, with a number of others in the same workgroup bcc'd. Addressees and bccs rotate. One of the senior guys forwarded me his bcc'd copy (minus detailed external headers) without comment because (on challenge) it was 'addressed to you'. Some of the viral attachments have pretty convincing names. Receiving it from a trusted colleague is really eroding the safety margin. Fortunately, since it *was* addressed to me (as well) I already knew about it. Even staying on your toes can be barely enough at times.

Two out of three different ones received today not recognized by the corporate AV. The one which was recognized required the latest definition file which wouldn't normally be loaded yet. All three types (and multiple instances) could have infected any or all of the computers in the workgroup. Seems it is just a matter of time ...

These things have slowed to a trickle now, the 'style' seems to have changed lately, maybe a different operator, yet the constant throughout is the large number of different file attachments used, all at the leading edge of malware detection when they first arrive, seldom repeating (it seems).

This one http://www.spamcop.net/sc?id=z2309076577zf...;action=display
certainly takes the prize for message terseness and probably has the smallest attached file size for a current nasty that I've seen this time around - http://www.virustotal.com/analisis/e6797a4...7153854526cd34b - good to see someone cares about bandwidth . That one scores just 6/36 detections currently - encryption would make it easy to stay in front yet, amazingly, these current attacks haven't been using it much at all. They mostly have been using new variants of a whole range of trojan droppers. Encryption has been quite common other times, maybe this is just the start of a different operation.

Net result is unchanged, AV/Malware defenses on most installations aren't likely to detect these things on arrival. They would usually do a pretty fair job several days later though - which I suppose helps ensure continuing employment on both sides.

It is amazing that some one would open an attachment to one of half a dozen emails all the same. Oh well, how else would the spammers stay in business.

But as you said the load keeps changing and the detected malware detected keeps changing. The dance goes on.