Email Trojans threaten to block email accounts
A new wave of trojans is rolling through the net. This time, the emails bearing the Trojan warn that the recipient's email account will be blocked within a few hours:
Subject: The email address email@example.com is being blocked
Ladies and Gentlemen,
Due to misuse, your email address "firstname.lastname@example.org" will be blocked within the next 24 hours. We have received 98 complaints of spam being sent from it.
Details and possible ways to ublock your account can be found in the attachment.
The subject and text contain the recipient's address, though the wording and the number of alleged complaints varies. The attached zip file contains the executable file
blocking.exe along with the malicious program. These emails should be deleted unread, because most virus scanners are powerless to deal with them. Only a few such programs can currently recognize the culprit: Sophos calls it Mal/EncPk-GH, Microsoft knows it as Win32/Emold.C or Win32/Obfuscator.CT, depending on the mutation, while FProt says it's W32/Trojan3.MX.
An analysis by heise Security has shown that the malware installs itself as the default debugger for the Explorer.exe process, so that it is activated after a reboot. This unusual self-starting mechanism has already been used by the "account-rendered" Trojan, which appeared in users' inboxes exactly a week ago, claiming to be an invoice, a collection order or a warning of non-payment.