When the malware is executed, it may create the following file:
- %Windir%\installdir\server.exe
Screenshot of spam email asking user to download .exe file
The email displays a message to “Click HERE to view & watch” videos and images of the terror attack at the Westgate mall. Clicking the link opens up a compromised Web page. After loading the Web page, the user is presented with a popup asking them to download the file “Kenya Westgate terror Video.exe.” This executable binary file is a generic form of malware named W32.extrat that, if downloaded, could exploit vulnerabilities on the user’s computer. Spammers use the promise of video and pictures as a trap to lure large number of users seeking information about the terror attack.
The spam email message may have the following subject line:
- Official: Kenya mall attackers Video
- http://[REMOVED].[REMOVED].com/u/210772057/Kenya terror Video.rar
The malware used in this attack is detected by ESET as W32.Extrat.
Users are advised to adhere to the following best practices in order to avoid malicious attacks:
- Do not open attachments or click on links in suspicious email messages.
- Avoid providing any personal information when answering an email.
- Never enter personal information in a pop-up page or screen.
- Keep security software up-to-date.
