WARNING Vodafone MMS email threat

This morning I received an innocent looking email from Vodafone Australia informing me I had a picture\video message from an Australian mobile number. Nothing unusual there as I'm located in the UK and friends and family are in OZ. However the mobile number was unknown to me and on checking the attached JPEG Zip file it opens as an exe and invites you to run it.

Having just cleared out some redirection malware I was not going to risk this one so if you receive a message like this and don't recognise the number DO NOT RUN IT.

In an attempt to find who had sent me the picture I called the phone number however according to Voda it is not connected.

Searching the web revealed two items relating to this:

http://www.hotforsecurity.com/blog/malware-infects-uk-vodafone-clients-with-mms-disguise-4335.html

http://www.h-online.com/security/news/item/Malware-disguised-as-an-MMS-message-1743608.html

The first identifies the virus as Trojan Gamarue the second warns that the messages say that a picture message is in the attached "Vodafone_MMS.zip" file. However, once unzipped, it only contains an executable named "Vodafone_MMS.jpg.exe" that will install malware onto a victim's system when launched. According to VirusTotal, the malware is currently only detected by just 8 of 44 anti-virus programs used by the online virus scanner service.
An analysis of the file in a sandbox leaves no doubts about its malicious intentions: among other things, it copies itself to C:\Documents and Settings\All Users\svchost.exe and then hides itself under SunJavaUpdateSched to launch when Windows first boots.

Keep alert and keep safe!

...if you receive a message like this and don't recognise the number DO NOT RUN IT.

I suggest that even if you DO recognize it, don't open it.
People tend to trust services which they associate with people they trust, and they shouldn't.
The malware author wins the first round of the fight to get his malware onto your system by default when a user ascribes an inappropriate level of trust to something that is not actually their friend, but with which they associate their friend.

My Friend's Service Accounts (email, facebook account, phone number, etc) =/= My Friend.


I also suggest changing Windows folder view options to uncheck the box for "hide extensions for known file types."
The reason is that naming a file CuteKitten.jpg.exe doesn't change the fact that it is still an executable, but if you have that option checked what you will see is CuteKitten.jpg.
With this option checked, what you should see for a real JPG would just be CuteKitten because JPG is also a known file type, but in your mind what you might think you see is a JPG file because the .exe extension is hidden.

Hiding information from yourself in this way leaves you open to that split second between your finger automatically clicking the mouse button to see the picture and your brain saying "AArrgh! NO! that's not a picture"
This is in my opinion a HORRIBLE default file view option.