Trojan-Dropper/W97M.Bouen -> All the way from Mongolia!

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
This spam came in at around 7:55 am EST today.   I submitted the  
attachment to VT about 1/2 hour later:

Received: from []
Subject: Payment Advice For Vendor (nnnnnnn)
X-Mailer: SAP Web Application Server 7.01

The London Borough of Richmond upon Thames Accounts Payable team, are  
pleased to announce we can now e-mail your remittance advice.  Please  
find attached a remittance advice for a payment you will receive in the  
next 2 working days.

If this is not the preferred email address you wish to receive  
remittance advises, please could you email quoting your vendor number (found on  
remittance attached) and details of your preferred email address so we  
can update our records.

Please Note

Remittances sent from LB Richmond Remittance will include payments made  
on behalf of:

Achieving for Children
LBRuT Local Authority
LBRuT Pension Fund
SW Middlesex Crematorium Board

Hmmm.  Now which of those am I expecting a payment from?

Apparently the sending IP ( is assigned to "Univision" -  
in Mongolia!

The attachment (Payment Advice For Vendor nnnnnn.DOC) as usual fails to  
execute whatever word exploit it has on my win-98 system.  When handed  
to wordpad.exe it causes an "illegal operation" (invalid page fault in  
MSWRD832.CNV) and that's all.

These attached MS-Word exploit documents are the only malware reaching  
my mail server lately (most of this year I think).  And they have to  
work hard, because my server is blocking SMTP connections from about 80%  
of IPv4 address space.

Because of this latest example, I'm going to examine my mail server's  
history of contact with and if no legit mail was ever  
received from that /8 (going back 10+ years) then that entire /8 will be  
added to the server's blocking list (already blocking 82 other /8 IP A  

The VT scan for this .doc file is here:

Detection ratio: 7/56 (yay! another victory for the AV industry!  Not!)

Here's who got it right:

Arcabit       HEUR.VBA.Trojan.B
F-Secure      Trojan:W97M/MaliciousMacro.GEN
McAfee        W97M/Downloader!8A05D9C65FEE
McAfee-GW     W97M/Downloader!8A05D9C65FEE
Panda         O97M/Downloader
nProtect      Trojan-Dropper/W97M.Bouen

Which means everyone else is in the AntiVirus Hall of Shame.

Other than giving a generic name, I see "Bouen" in that list.  A quick  
web-search doesn't turn up anything "insightful" or informative about  
Bouen (origins, what vulnerability it tries to exploit, what version of  
Windoze or Word it targets, etc).

Re: Trojan-Dropper/W97M.Bouen -> All the way from Mongolia!

Quoted text here. Click to load it

If you are going to post about them, you may as well upload them to  
UploadMalware.Com each time as well.


Multi-AV Scanning Tool -

Re: Trojan-Dropper/W97M.Bouen -> All the way from Mongolia!

On Monday, December 7, 2015 at 11:51:31 PM UTC+8, Virus Guy wrote:

Quoted text here. Click to load it

Do you block any IP addresses from the Philippines?  Sometimes my emails don't show up since my IP provider is on some spam blacklists I think.


Re: Trojan-Dropper/W97M.Bouen -> All the way from Mongolia!

Hash: SHA1

[ posted and mailed ]

On Thursday, 17 December 2015 20:16 -0800,  
 (< ),  

Quoted text here. Click to load it

I think your mail might be rejected, because something running at, the IPv4 address in the headers of the message to which  
I'm replying, was sending a boatload of spam.  Chances are, it's  
participating in a botnet. : : BLOCKED (
    Blocked - see

Please see to it, that you follow the recommendations you find at this  
site.  This CBL listing is _highly_ likely to be heeded by inbox  
providers around the world.

Also, this IP should not be sending mail direct to MX (Mail eXchange).  
I suspect it has been, even if you, personally, were not doing so. : : BLOCKED (

You may want to check things out with Bayan Telecommunications DSL  
Network, your network provider.

- --  
 "I don't care what anybody says about me as long as it isn't true."
                                             - Truman Capote (1924-84)

Version: GnuPG v2


Site Timeline