The malwares are being spread through spam emails containing following subject lines accordingly to Microsoft
ACH Transaction Report DOC-file for report is ready Invoice as requested Invoice – P97291 Order – Y24383 Payment Details Remittance Advice from Engineering Solutions Ltd Your Automated Clearing House Transaction Has Been Put On
And the attachment containing Adnel and Tarbir campaigns is usually named as following :
20140918_122519.doc 813536MY.xls ACH Transfer 0084.doc Automated Clearing House transfer 4995.doc BAC474047MZ.xls BILLING DETAILS 4905.doc CAR014 151239.doc ID_2542Z.xls Fuel bill.doc ORDER DETAILS 9650.doc Payment Advice 593016.doc SHIPPING DETAILS 1181.doc SHIP INVOICE 1677.doc SHIPPING NO.doc
Microsoft Technet blog says that the two Trojan downloaders, TrojanDownloader:W97M/Adnel and TrojanDownloader:O97M/Tarbir are being spread at a rapid pace through spam emails and phishing campaigns. Worryingly they are targeting both home PC users and enterprise customers and most of the victims are based in United States and United Kingdom.
As Microsoft has decided to block execution of Macros in Office by default, the trojan authors/handlers add a notification to the document stating the contents of the documents can only be viewed with macros enabled. Upon opening the malware laden Word document or Excel sheet, the victim receives a default security warning stating macros have been disabled but some users simply disregard this message and enable the macros thus allowing the trojan downloaders to infect their PCs. “The combination of the instructional document, spam email with supposed monetary content, and a seemingly relevant file name, can be enough to convince an unsuspecting user to click the Enable Content button”, according to Alden Pornasdoro of the Microsoft Malware Protection Center. Once the Trojan downloader is downloaded it then starts to install other more deadlier malware on the systems it has infected. Microsoft says that majority of invoices and orders sent by users dont require macros however if a user comes across such an order or invoice, he/she should be selective in running such documents or sheets.