McAfee Avert have received several samples of a spammed Word DOC file called “McAfee Inc. Reports.doc” (size 205,824 bytes). This trojan file carries a macro that, if allowed to run, will drop on the harddisk and execute a file called “LS060E5.eXE” (size 27,648 bytes).

Detection of both files was added to 4887 DATs (02 Nov 2006) under W97M/Kukudro.t and the PWS-LDPinch names, respectively.

What makes this incident worth mentioning is that the spammers appear to have used a mcafee@{domain}.com template for their spoofed emails (we have seen many domain names used - e.g. “europe”, “playful”). This was picked up by the media http://www.net-security.org/virus_news.php?id=710 which, unfortunately, was ambiguous enough to generate certain levels of confusion.

Some readers who did not follow the link to the description on the Kaspersky site clearly missed the statement “Kaspersky Lab believes that McAfee is in no way involved in the distribution of this Trojan“. As a result we started receiving questions like “Did you really..?”

For those interested to find the answer to this question please follow the link to one of our earlier posts on this subject - http://www.avertlabs.com/research/blog/?p=28 “Can I trust myself?”.