Recently, I have identified some fraud email which have the words “IRS Notification” in subject.
Subject: IRS Notification of Your Fiscal Activity xxxxxx X-PHP-Script: intalcare.com/css/lib/a.php for 22.214.171.124 Date: Tue, 15 Feb 2011 10:14:18 -0600 From: Internal Revenue Service
Message-ID: <firstname.lastname@example.org> X-Priority: 3 X-Mailer: PHPMailer (phpmailer.codeworxtech.com) [version 2.3] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="b1_2ee92a61f276f425fe1890f5844ceaa8" X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - mail.intaluk.com X-AntiAbuse: Original Domain - your domain.... X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12] X-AntiAbuse: Sender Address Domain - mail.intaluk.com ......... ...... After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of of $618.19. Please submit the tax refund request and allow us 6-9 days in order to process it. A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. To access the form for your tax refund, please click here ....
And there’s a exe attachment, I extracted one attachment named IRS-TAX-Notifi.exe. the file property looks like this:
File description: Internet Explorer Type: Application .. Product name: Windows Internet Explorer .... Language: Russian
This is obvious, it’s not IE, but it pretends to be Internet Explorer. When I run this program on a Windows XP in my Lab, It injects itself to the windows Explorer.EXE, and deletes its original program. Also, some network monitoring shows that it tries to access some server on baciq.net.
You may try to filter out this kind of email, or block the sending server.