Outbreak Name: "Department of Justice" Virus

Outbreak Date: 12-03-07

Fake Department of Justice Email Infects User PCs

Outbreak Filters Protects Users Hours Before AV Signatures

Background

IronPort's Virus Outbreak Filters protects customers within the critical period between the first exploit of a virus outbreak and the release of an AV signature. During the recent "Department of Justice" virus outbreak, Outbreak Filters protected customers 8 hours and 33 minutes* before the first major anti-virus vendor provided protection.

Outbreak Details

On December 3rd, 2007, an email was spammed out claiming to be from the Department of Justice (DOJ). The email informed recipients that the DOJ had received a complaint against the recipient's company. The email used DOJ letterhead, case ID #s, complaint dates and legal text to fool users into thinking the email was legitimate. The email asked recipients to open an attached file to view the complaint.

Once opened, the file installed a Trojan that allows remote hackers to take over the infected PC. Once taken over, hackers can use the computer to send spam and host spyware. Remote hackers can also install key loggers and screen scrapers onto the infected PC to steal personal, confidential and financial information without the user's knowledge.

Timeline

*Vendor signature times per AV-Test. Signature times from the following vendors: Sophos, Trend Micro, Symantec and McAfee. Generic signatures not included. Real virus name: TROJ_DELF.NWZ (as named by Trend Micro).