A customer submitted an interesting file to SophosLabs yesterday, and asked us to take a look at it.
Its name was
Super_Tuesday_2012_voting_information.exe
“Super Tuesday”, as American readers are probably all too aware, is the day when the largest number of American states vote to choose which candidate will run for the job of president in 2012. Barack Obama isn’t facing any opponents in the Democrat party, so all the voting is for Republicans this year.
We don’t know whether the customer who forwarded us the suspect file was specifically targeted, or whether they were caught in a more widely spammed-out campaign, but if they had made the mistake of opening the file they would have put their Windows computers at risk.
The Trojan horse communicates with a Russian website and has the ability to download further malware. In addition, it installs a file called spoolsvr.exe on infected computers and creates a PDF file called
Super_Tuesday_2012_voting_information.pdf
Presumably this PDF is designed to act as a decoy, as it does not appear to contain a malicious payload itself.
SophosLabs has imaginatively named the malware Troj/ST2012V-A (No prizes for guessing how they came up with that name).
Of course, this wouldn’t be the first time we have seen malware authors exploit a US presidential race. For instance, four years ago we saw an alleged sex video of Barack Obama doing the rounds, and another malware attack which struck within hours of Obama’s election.
Remember to keep your computers patched, and your anti-virus updated. And never forget to keep your wits about you – if you receive a suspicious-looking file out of the blue, don’t fool yourself into believing you can click before you think.
