Skip to content

Recent “Our Photo” Spam Run


Inoculation is effective against this threat.

There was a new spam run overnight; tempting unsuspecting users with a “photo”:

Subject: Our Photo
Message: Sent from my iPhone
Attachment: IMG_00242_12_12_2014 jpeg .zip

Inside the attached zip file lurks “IMG_03541_12_12_2014 jpeg .exe”, a malicious downloader trojan, but this is just one of different names.  Also seen is the name Sales Receipt_Merchant Report_8740039111_pdf.exe.

When run the threat may crash in some environments, but in others it will install itself in the C:\ProgramData directory as ms???.exe where ? equals a random letter.

A registry run key is created to run the malware on reboot:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ########## = C:\PROGRA~2\ms???.exe

This process spawns msiexec.exe, which in turn uses Google’s DNS servers ( to query and subsequently contact the following domains:


Various system policies are set to help conceal the malware:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
    Advanced “ShowSuperHidden” = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
    Explorer “HideSCAHealth” = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
    Explorer “TaskbarNoNotification” = 0

The following services are disabled:

  • MpsSvc
  • SharedAccess
  • WinDefend
  • wscsvc
  • wuauserv

The code contains the following hash, which you can Google to reveal its meaning:

About half of the major anti-virus vendors detect at this point (and growing):

Exit mobile version