Previous    Next
Warning: JavaScript is turned off! Some features on this website will not work without it.

Fake "Request Approved" Comprafacil Email Contains Link to Malware

Fake "Request Approved" Comprafacil Email Contains Link to Malware

The email message below with the subject: "Request Approved" or "Pedido Aprovado" is a fake and contains a link to a malware located on Google Docs. The email message was not sent by Comprafacil, although it appeared to have been sent from their email address. Please do not open the email, click on the link, or download the malicious file.

Please continue reading below. or .br is one of the top three e-commerce websites in Brazil.

The Fake Comprafacil Email

Subject: Pedido Aprovado
Date: Mon, 24 Jun 2013 01:38:19 -0300
From: Comprafacil

Prezado(a) Cliente,

Gostariamos de informar que o debito em seu cartao de credito foi efetuado e o pagamento ja foi confirmado. Sua mercadoria ja esta em transporte.

Lembramos que para facilitar o recebimento, e necessario que haja alguem autorizado no local da entrega.

Previsao de entrega:


Para acompanhar seu pedido, por favor acesse o link

Atenciosamente, SAC -

Translated into English:

Subject: request Approved
Date: Mon, 24 Jun 2013 01:38:19 -0300
From: Comprafacil

Dear (a) Customer

We would like to inform you that the debit on your credit card and the payment was made has already been confirmed. Their merchandise is already in transit.

Remember that to facilitate the receipt, it is necessary that there be someone authorized on-site delivery.

Prediction of delivery:

To track your order, please visit the link below:

Sincerely, SAC -

Although the link in the email message appears to go to the website at the following location, it does not:

  • pedido 4782=sp?confirmada

The link actually goes to the web page Cliente.html on the website .br, located at the following web address:

  • .br/clientes/cliente02 /Cliente.html

The Cliente.html web page then downloads the malicious file from the Google Docs website at the following location, where the malicious file is stored:

  • uc?id=0BzlAOijoJXwTMj VYNy1a WXRHTU0&export=download

The name of the malicious file is "".

Do not open this malicious file because you have an antivirus software installed. This is because only seven antivirus software were able to detect this malicious program.

Also, please remember that the name of this malicious file may change.

The following shows the list of antivirus software and the threat they detected when they scanned the file: "".

File name:
Analysis date: 2013-06-24 10:21:05 UTC


  • AntiVir TR/Symmi.20860.10
  • BitDefender Gen:Variant.Symmi.18194
  • Emsisoft Gen:Variant.Symmi.18194 (B) 20130624
  • F-Secure Gen:Variant.Symmi.18194 20130624
  • GData Gen:Variant.Symmi.18194
  • McAfee-GW-Edition Heuristic.BehavesLike. Win32.Suspicious-BAY.K
  • TrendMicro-HouseCall TROJ_GEN.F47V0624

If you receive the malicious email message, please delete it and warn your friends and family about it.

If you have already downloaded and open this file, please download and install one of the the free version of the antivirus software below:

BitDefender - click here to download

Avira - click here to download

Use the antivirus software to do a full scan of your computer.

Please share with us what you know or ask a question about this article, by leaving a comment below. And, forward malicious email messages to us using the following email address: .

Tell us if you LIKE this article by clicking the following thumbs-up, or click the thumbs-down if you dislike it:

       Rating - Thumb up          Rating - Thumb down 0   
Alert and help your family and friends by sharing this article with them:
Submit Your Comment or Question

Submit your comment or question in the box below to share what you know or to get answers about this article.

CommentComments or Questions (0)