In a similar vein to the death-threat spam, I just received this:
From: "PaulAllison@cia.com" <paulallison @cia.com>
Date: Fri, 4 Jul 2008 22:49:21 +0200
To: dan@dansdata.com
Subject: CIA - Case ID: 528-84223 - WARNINGHello,
Your IP address has been logged on more than 20 illegal Websites.
This does not necessary means that You browsed all of this illegal content.
Theres possibility someone else has access to your PC, physically or someone else gained remote access to your PC machine.
As a matter of that, we kindly ask You to answer all our questions regarding this case in reasonable amount of time.
List of all our questions is available for download at http://www.cia-intl.com.ba/ID528-84223.zip
If you do not answer these questions until 10.07.2008 we will start investigation and make final decision on our own. In that case, You'll get the charge in writing soon after.
Please note that browsing illegal content online is serious violation of laws in many countries.
We expect your co-operation and prompt response.Sincerely,
Paul Allison
Central Intelligence Agency -CIA-
935 Pennsylvania Avenue, NW , Room 3220
Washington , DC 20535
Phone: (202) 324-30000
Case ID: 528-84223
Apparently this is some kind of July 4th special offer.
They even went to the trouble of making http://www.cia-intl.com.ba/ by itself redirect to cia.gov. I like to see that kind of attention to detail in a threat-scammer.
(CIA-dot-com, used for the probably-not-connected reply address, is actually just an ISP.)
Interestingly, this spam actually did come from a .ba (Bosnia and Herzegovina) source, bhtelecom.ba. And http://www.cia-intl.com.ba/ID528-84223.zip is still live, as I write this - it's 476 kilobytes, and actually is a zip file, containing the 562-kilobyte ID528-84223.exe.
The jotti.org online malware scanner I've mentioned before, which submits uploaded files to umpteen anti-virus programs, got only one hit, from BitDefender. It reckoned the file behaved like the uninventively-named Win32.Malware. The Sunbelt Sandbox scanner generated reams of conclusions - basically, every bit of information you can get by running the program in a virtual machine and tracking everything it does for a little while - but as far as actual identification went, just dropped it in the VIPRE.Suspicious "miscellaneous" bin.
I then deleted the file and sprinkled quicklime over the part of the hard drive where it had been. I've learned my lesson.
6 July 2008 at 3:31 am
"If you do not answer these questions until 10.07.2008..."
Don't worry, if this were really from the U.S. CIA, it'd mean you had until the seventh of October to reply.
6 July 2008 at 4:41 am
This is a fine, fine reason to keep a linux box around, even if you were a giant Windows partisan.
6 July 2008 at 5:40 am
Is it? Why would you want to open something like this?
6 July 2008 at 6:17 am
Seeing this crap almost makes me wish there was a project like folding at home that instead used the combined bandwidth of all the computers connected to it to do DDOS attacks on known malware sites.
Oh, and looking through the sunbelt software info, it appears that this file registers a new winsock provider, probably to do packet inspection ot collect all sorts of info like passwords and email addresses for spam. I wouldn't be surprised if the inf files it registers are part of a keylogger too.