fraud email alert – IRS Notification

Recently, I have identified some fraud email which have the words “IRS Notification” in subject.

 Subject: IRS Notification of Your Fiscal Activity  xxxxxx
 X-PHP-Script: for
 Date: Tue, 15 Feb 2011 10:14:18 -0600
 From: Internal Revenue Service 
 Message-ID: <>
 X-Priority: 3
 X-Mailer: PHPMailer ( [version 2.3]
 MIME-Version: 1.0
 Content-Type: multipart/mixed;
 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
 X-AntiAbuse: Primary Hostname -
 X-AntiAbuse: Original Domain - your domain....
 X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
 X-AntiAbuse: Sender Address Domain -

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of of $618.19.

Please submit the tax refund request and allow us 6-9 days in order to process it.

A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.

To access the form for your tax refund, please click here

And there’s a exe attachment, I extracted one attachment named IRS-TAX-Notifi.exe. the file property looks like this:

File description: Internet Explorer
Type: Application
Product name: Windows Internet Explorer
Language: Russian

This is obvious, it’s not IE, but it pretends to be Internet Explorer. When I run this program on a Windows XP in my Lab, It injects itself to the windows Explorer.EXE, and deletes its original program. Also, some network monitoring shows that it tries to access some server on

You may try to filter out this kind of email, or block the sending server.

This entry was posted in Security, System Administration and tagged , . Bookmark the permalink.

Leave a Reply