Scan From Xerox WorkCentre Pro Malware Emails
Published on 18th July 2010 by Brett M. Christensen
Some of my email accounts have been receiving emails that claim to have an attached document that "was scanned and sent to you using a Xerox WorkCentre Pro". The message includes other data that supposedly provides more information about the attachment and the device that created it.
However, the .zip file attachment actually contains malware that has been identified by email security firm MX Lab
as a variant of the Oficla trojan. Once installed, this malware can secretly connect to a remote server, download further malware
components and add the compromised machine to a botnet.
The technical sounding information included in the malware emails is apparently intended to fool recipients into believing that the attachment is a legitimate document. Of course, the bogus messages have no connection to Xerox or its products. The spammers responsible for the attack have apparently copied the typical email template
used by Xerox WorkCentre Pro scanners for use in their malware emails.
An example of one of the malware emails:
Subject: Scan from a Xerox WorkCentre Pro N 2989630
Oficla trojan in emails with subject “Scan from a Xerox WorkCentre Pro”
Fake Xerox WorkCentre Pro Scans Hide Trojan
Please open the attached document. It was scanned and sent to you using a Xerox
Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]
WorkCentre Pro Location: machine location not set
Device Name: XRX9810AA7ACDB43392000
For more information on Xerox products and solutions, please visit