Bank spammers try to catch U.K. napping

More than 2.4 million emails containing the trojan-downloader Win32.small.cfg were sent to U.K. businesses late Sunday night before the anti-virus community could react, an IT security firm warned today.

According to managed security provider BlackSpider Technologies, the trojan was spammed at 9 p.m. London time on Thursday and was specifically designed to exploit the longest possible window of exposure between its release and the first anti-virus vendors issuing a patch. The virus stopped shortly after Symantec issued a patch at 10:45 a.m. on the morning of Jan. 27.

The subject line of the virus is: YOUR BILL PAYMENT NOT APPROVED!

The body of the text reads:

Dear client!

We are unable to obtain the bill payment from your bank account. Your bank returned the following error to us:


BILL #5563880


Billed To:

PBS (Payroll and Business Service) Ltd

3 Castle Quay

Castle Boulevard



United Kingdom

Order Number: 1104102

Receipt Date: 24/01/06

Total Amount: GBP 755.00

We recently received a report of e-banking use associated with this account. As a precaution, we have limited access to your account in order to protect against future unauthorized transactions.You can check your transaction details in attachment.

Case ID Number: BILL#5563880


Please understand that this is a security measure intended to help protect you and your account.

We apologize for any inconvenience this may cause.

Thank You,


The attachment is a packed FSG executable called BILL#5563880.

James Kay, chief technology officer, BlackSpider Technologies, warned: "This trojan was successful in achieving what appears to be its main purpose – to reach as many inboxes as possible before the anti-virus industry could react."

"Last year we saw many attempts to infect PCs during the window of exposure and that trend looks set to continue in 2006," he said. "Businesses that are not using proactive intelligent threat-prevention technology to tackle new viruses are leaving themselves at serious risk from infection, as today's outbreak shows."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.