Broadband Tech > Security > Security > Backdoor.Haxdoor spammed in phish-type email

Backdoor.Haxdoor spammed in phish-type email

quote:

---

Return-path: <info@zipzoomfly.com>
Envelope-to: (target email address)
Delivery-date: Sun, 23 Jul 2006 17:04:11 -0700
Received: from [124.121.159.17] (helo=ppp-124.121.159.17.revip2.asianet.co.th)
by (targeted domain).com with smtp (Exim 4.24)
id 1G4nuE-0006ps-Un
for (target email address); Sun, 23 Jul 2006 17:02:44 -0700
Date: Tue, 25 Jul 2006 01:44:42 +0100
From: billing support <info@zipzoomfly.com>
Reply-To: billing support <info@zipzoomfly.com>
X-Priority: 3 (Normal)
Message-ID: <5055800573.69899794837949@mail15.com>
To: (target email address)
Subject: Order WC2905036 Is Being Processed
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------071984D2333E70"

Dear Sir/Madam,

Thank you for shopping with our internet shop. Your order, WC2905036, has been
received. Summary of your order you can see in the attachment file.

This email is to confirm the receipt of your order. Please do not reply as this
email was sent from our automated confirmation system.

Please Note: There is no need to re-send your request or call our customer service
department for status or tracking number, this will only delay our response time to
you. Rest assured, we are making every effort to process and ship your order within
1 to 2 business days. We appreciate your understanding and patience and do value
your business.

Once your order has been processed and shipped a FEDEX Tracking number will be
automatically emailed to the address provided.

Please Note: Tracking information will be available in FedEx's system only after
10pm EST Monday thru Friday. If you receive a tracking number on Sunday, you will be
able to track it Monday evening after 10pm EST.

All orders placed including 1-2 or 2-3 business day options are shipped within 48
hours providing the merchandise is in stock.
All FedEx Ground orders will take 7-10 business days to arrive.

Some packages may require a signature upon delivery. These packages will not be left
without a signature. For your convenience, we will email you a FedEx tracking number
on all successfully processed and shipped orders.

All Plasma TVs, DVD players, Scanners, Fax Machines, Receivers, Home Theater, and
Printers are not returnable after box is opened.

To insure the best handling of your order please allow 24-48 business hours for the
processing and the shipping of your order. Thank you for your cooperation.

We hope you enjoy your order! Thank you for shopping with us!

---

Hi,

Thanks for the headsup.. I've now added a ClamAV detection for the email content:

c:\tmp\test.eml: Email.Malware.Sanesecurity.06072401 FOUND



Cheers.

Steve
SaneSecurity Unofficial ClamAV Phishing Sigs
www.sanesecurity.com/clamav
--
Tired of spam? Grab www.spampal.org

reply to kpatz
I just got an email from symantec security advisory with info about this. Here is what that email said.

On July 24, 2006 Symantec Security Response observed an increase in email activity through Symantec's Global Intelligence Network. The emails contain a message and or attachment about an online order supposedly placed by the recipient. These emails appear to come from a legitimate online retailer, but in fact the emails are coming from a malicious attacker. The message indicates that the attached file is the invoice for the order, but instead it contains a backdoor trojan, and if executed will compromise the user's computer.
Symantec Security Response has determined that these emails are variants of the Haxdoor backdoor trojan.

Virus definitions released on July 24, 2006 by Symantec will detect this threat as Backdoor.Haxdoor.O. Some variants of this threat may already be detected as Backdoor.Haxdoor.I. Symantec advises users to be suspicious of unexpected emails that contain attachments claiming to be from online retailers. Symantec will closely monitor this situation and will provide updates and security content as it becomes available.

I was actually wondering if it was a legit email from symantec because it looks a bit different. That is why I was looking here to see if there was any mention of Haxdoor.
guess it is a legit security advisory then.

I also received this symantec security advisory and was dubious. I looked at the code, and there are several links to bluehornet.com; e.g.,

Virus Definitions are available via {A href="http://dr.bluehornet.com/ct/ct.php?t=162998&c=311104179&m=m&type=1"}LiveUpdate{/A}

reply to kpatz
that is exactly what got my attention all the links went to that drbluehornet. This is the header info that was on my email.

X-Message-Status: n:0
X-SID-PRA: Symantec Security Response
X-SID-Result: TempError
X-Message-Info: LsUYwwHHNt3nxDl42wnuAFsxWenHu1cjnuqp8rvnBF4=
Received: from ipmx01-55.bluehornet.com ([216.54.194.55]) by bay0-mc1-f4.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Tue, 25 Jul 2006 18:18:47 -0700
Received: from returnpath.bluehornet.com (10.64.22.16)
by ipmx01-55.bluehornet.com with ESMTP; 25 Jul 2006 18:18:44 -0700
Message-Id:
Return-Path:
Date: Tue, 25 Jul 2006 17:28:01 -0700
From: "Symantec Security Response"
Reply-To: Symantec@reply.digitalriver.com
To: ""
X-Outgoing: symantec
Subject: Symantec Security Advisory: Infected Fake E-mails from Online Retailers
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--44c6b711e70a9-MultiPart-Mime-Boundary"
X-OriginalArrivalTime: 26 Jul 2006 01:18:47.0746 (UTC) FILETIME=[71F68A20:01C6B051]

so what is up with that is it really from symantec??? I did not click on any links in the email just read it.

does symantec have an addy to send possible fake emails to them to verify?