Anand Yadav

IRS Notification Letter Email scam

July 26, 2011
Estimated reading time: 2 minutes

The Chepvil malware which comes via email as an attachment is using another trick to spread itself. You may receive an email stating to be from and with the subject line – “IRS Notification Letter”. The email is as shown below:

The attachment comes with the name ‘IRS document.rar’. Upon extraction, the user gets an executable file with a PDF file icon.

If a user opens this executable file, it then downloads one of these files – ‘pusk.exe’/’pusk2.exe’/’pusk3.exe’. As we can see from the http traffic:

The file pusk*.exe works as a rogueware application Windows XP Repair as shown below:

As usual, it displays fake threat messages on the screen and thus forces the user to register the product in order to remove these fake threats.

If you come across such emails do not open the attachments with them. Instead, delete them and keep your antivirus updated. Quick Heal detects the malicious attached file as Trojan.Chepvil.K and also blocks the domain. So our users are already protected.
We recommend that users do not open such attachments from unknown and suspicious looking emails.

Thanks Mahesh.

Have something to add to this story? Share it in the comments.

No Comments, Be The First!

Your email address will not be published.