TIP: Click on subject to list as thread! ANSI
echo: alt-comp-anti-virus
to: ALL
from: VIRUS GUY
date: 2015-12-06 23:52:00
subject: Trojan-Dropper/W97M.Bouen
This spam came in at around 7:55 am EST today.   I submitted the 
attachment to VT about 1/2 hour later:

==============
Return-Path: 
Received: from [150.129.142.254]
Subject: Payment Advice For Vendor (nnnnnnn)
X-Mailer: SAP Web Application Server 7.01

The London Borough of Richmond upon Thames Accounts Payable team, are 
pleased to announce we can now e-mail your remittance advice.  Please 
find attached a remittance advice for a payment you will receive in the 
next 2 working days.

If this is not the preferred email address you wish to receive 
remittance advises, please could you email 
accounts.payable@richmond.gov.uk quoting your vendor number (found on 
remittance attached) and details of your preferred email address so we 
can update our records.

Please Note

Remittances sent from LB Richmond Remittance will include payments made 
on behalf of:

Achieving for Children
LBRuT Local Authority
LBRuT Pension Fund
SW Middlesex Crematorium Board
===============

Hmmm.  Now which of those am I expecting a payment from?

Apparently the sending IP (150.129.142.254) is assigned to "Univision" - 
in Mongolia!

The attachment (Payment Advice For Vendor nnnnnn.DOC) as usual fails to 
execute whatever word exploit it has on my win-98 system.  When handed 
to wordpad.exe it causes an "illegal operation" (invalid page fault in 
MSWRD832.CNV) and that's all.

These attached MS-Word exploit documents are the only malware reaching 
my mail server lately (most of this year I think).  And they have to 
work hard, because my server is blocking SMTP connections from about 80% 
of IPv4 address space.

Because of this latest example, I'm going to examine my mail server's 
history of contact with 150.0.0.0/8 and if no legit mail was ever 
received from that /8 (going back 10+ years) then that entire /8 will be 
added to the server's blocking list (already blocking 82 other /8 IP A 
classes).

The VT scan for this .doc file is here:

https://www.virustotal.com/en/file/c986e9050167cb065a3aca5db5ffad81a582236e5fc5
f2b28cbacd13c8e25c18/analysis/1449494568/

Detection ratio: 7/56 (yay! another victory for the AV industry!  Not!)

Here's who got it right:

Arcabit       HEUR.VBA.Trojan.B
F-Secure      Trojan:W97M/MaliciousMacro.GEN
McAfee        W97M/Downloader!8A05D9C65FEE
McAfee-GW     W97M/Downloader!8A05D9C65FEE
Panda         O97M/Downloader
Qihoo-360     heur.macro.download.cc
nProtect      Trojan-Dropper/W97M.Bouen

Which means everyone else is in the AntiVirus Hall of Shame.

Other than giving a generic name, I see "Bouen" in that list.  A quick 
web-search doesn't turn up anything "insightful" or informative about 
Bouen (origins, what vulnerability it tries to exploit, what version of 
Windoze or Word it targets, etc).
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.