antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
|  Warning regarding fake malware patch 'patch_4723.zip '
The file 'patch_4723.zip' is being sent to yahoo accounts telling internet users to install the attactment as a patch.
Date: Thu, 12 Apr 2007 20:38:44 +0200
From: "Postmaster"
Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: sgtpepper_1967@yahoo.com
Subject: ATTN!
File name: patch_4723.zip
File size: 38kb
File type: application/octet-stream
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
2 edits | Not just Yahoo accounts, I'm seeing them on my personal email too.
It's the latest variant of the Mixor/Nuwar/"Storm Worm" outbreak that's been hitting this week (name varies widely by AV vendor).
Whatever is sending them (worm or spambot) is pretty adept at punching through my greylister too. Fortunately I have multiple layers of virus scanning on my personal email as well. 
Up until now they've all been just straight .exe attachments, but this latest one has taken the Bagle approach of sending itself as a password-protected zip attachment. The upside is my email anti-virus setup strips encrypted zips, so no definition updates are needed.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Just got another one, in my Yahoo account this time.
Attached file is Patch_2119.zip. |
|
boognish
Premium
join:2001-09-26
Baton Rouge, LA
clubs:
1 edit | reply to antiphishing
Our exchange server is getting pounded by this one today. I normally see maybe 50 virus warnings from the exchange server a day. Today it has been well over 2000. I have been blocking certain IPs but haven't had a chance to go put some rules in spamassassin to block which I need to do. |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| said by boognish  :Our exchange server is getting pounded by this one today. I normally see maybe 50 virus warnings from the exchange server a day. Today it has been well over 2000. I have been blocking certain IPs but haven't had a chance to go put some rules in spamassassin to block which I need to do. Subject Support Team Virus Activity Detected! 60k
Subject Customer Support Center Virus Detected! 60k
Subject Arthur A Is For Attitude 70k
Subject welfare Our Love Nest 70k
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
1 edit | reply to kpatz
said by kpatz :Just got another one, in my Yahoo account this time. Attached file is Patch_2119.zip. A massive spam outbreak that tries to trick recipients into opening a file attachment that can hijack their computers has already broken records, security companies said today. Researchers at Postini Inc. said the spam run is the largest in the last 12 months....
»cwflyris.computerworld.com/t/144···59068/2/
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
rds24a
Teach Your Children
Premium
join:2000-12-13
Springboro, OH
clubs:
1 edit | reply to antiphishing
Several different builds of KIS 6 seem to have no problems deleting it. I've seen around 10 of them at three different locations....all on rr.com
--
All hail JoePa |
|
rotty97
join:2005-06-30
Australia | LOL, the .exe "patch" has to unpack at sometime to run.............. |
|
garys_2k
join:2004-05-07
Farmington, MI | reply to antiphishing
I just submitted the zip file to virustotal and pitifully few scanners picked it up. My Avira Antivir passed it right by - maybe the encryption fooled it. |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| reply to antiphishing
NOD32 picked it up when you try to unpack it as the zip file is password protected so no AV is going to detect it in that state, its when it unpacks that is when your AV should pick it up.
We are going to see a lot of these as it using the typical randomly generated user ids married up with the domain name, ditto for the reply so if you bounce it, some other unsuspecting Joe might get it as a bounced email. The usual distribution method.
It actually an interesting attack in that it takes the malware zips it up with password protection where the password is randomly generated and an accompanying gif is generated and packaged with the password. Thus far the passwords all have the same pattern 3 letters followed by 2 digits. This is an attack with a higher level of sophistication then the usual slash and dump as someone did some coding on this.
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool |
|
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
 ·Verizon Online DSL
| said by Link Logger :... This is an attack with a higher level of sophistication then the usual slash and dump as someone did some coding on this. Purely from the code perspective, yes. But these guys still can't get seem to get their spelling/grammar right: "adress", "becouse", "We recommend you to install...", "We had archived the patch...".
If the creative coders ever hooked up with good writers, these things probably wouldn't be as easy to spot simply on the basis of the goofy message texts.
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| said by Blackbird :said by Link Logger :If the creative coders ever hooked up with good writers, these things probably wouldn't be as easy to spot simply on the basis of the goofy message texts. My thoughts exactly. 
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
2 edits | said by antiphishing :My thoughts exactly. If that ever happens, it will be the end of the Internet, since no one who receives an email with correct spelling and grammar is going to think it contains a virus.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. |
|
DrModem
Premium
join:2006-10-19
USA | reply to antiphishing
I got that the other day, recognized it as a virus and took care of it. It's too corny to fool me lol. |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to Blackbird
said by Blackbird :If the creative coders ever hooked up with good writers, these things probably wouldn't be as easy to spot simply on the basis of the goofy message texts. True, but those folks do hook up for different "campaigns."
These e-mails are more than sufficiently effective on the users they are targeting, idiosyncrasies and all. The Storm Worm group did very well using pure EXE attachments in January; just about anyone that fell for that is likely to fall for this, too.
--
Feedback? e-mail: stuff@lupwa.org |
|
Martinus
Premium
join:2001-08-06
EU
| reply to Blackbird
said by Blackbird : Purely from the code perspective, yes. But these guys still can't get seem to get their spelling/grammar right: "adress", "becouse", "We recommend you to install...", "We had archived the patch...". English is not my native language but I've seen sentences in these forums - heck. nearly in most forums - by native English speakers with more grammatical or syntactical flaws than the ones you mention.
I don't think grammar can be used as a malware giveaway in this context. For the illustrated, probably. For the rest, I doubt it.
--
Si naciste pa' martillo del cielo te caen los clavos |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| said by Martinus :I don't think grammar can be used as a malware giveaway in this context. For the illustrated, probably. For the rest, I doubt it. So far, every piece of malware I've received in email has had lousy spelling or grammar in the message, if there is a message at all.
So, if you receive an email that is well written, spelled correctly, no typos, and no grammatical errors, chances are it wasn't created by a spammer or a virus/worm.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. |
|
Martinus
Premium
join:2001-08-06
EU
| said by kpatz :said by Martinus :I don't think grammar can be used as a malware giveaway in this context. For the illustrated, probably. For the rest, I doubt it. So far, every piece of malware I've received in email has had lousy spelling or grammar in the message, if there is a message at all. So, if you receive an email that is well written, spelled correctly, no typos, and no grammatical errors, chances are it wasn't created by a spammer or a virus/worm. Yes. If it's well written, it probably comes from MS PR monkeys
But, hey, malware writers will probably get it grammatically right at some point by trial and error.
Probably a good idea not to ditch your AV just because you are an eagle to spot grammatical flaws right away.
--
Si naciste pa' martillo del cielo te caen los clavos |
|
Jameson
10-8
Premium
join:2004-05-28
Fallbrook, CA
clubs:
 ·HughesNet Satellit..
·Time Warner Cable
| reply to antiphishing
Got one as well this morning.
The one i got was called removal-8736.zip |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| That's been one busy robot.
These "Storm Worm" variants are one of the few items that seem to be able to regularly "punch-through" my greylister. Good thing that it hits F-prot when it reaches my mail server and then NOD32 when it gets downloaded to the desktop.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. |
|
