Re: Warning regarding fake malware patch 'patch

Re: Warning regarding fake malware patch 'patch_4723.zip ' in Security http://www.dslreports.com/forum/r18160282 en Tue, 09 Feb 2010 22:39:06 EDT Tue, 09 Feb 2010 22:39:06 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18178143 Link Logger : Has anyone tried this bad boy in with a virtual system as we might have a no goer in a virtual environment.

Blake]]> http://www.dslreports.com/forum/remark,18178143 Mon, 16 Apr 2007 00:14:19 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18172871 antiphishing :

said by 59126125

:

Sure the idea is on the paranoid side, but if someone wanted to harvest as much personal info as possible in the shortest amount of time, wouldn't tax time be the prime opportunity? What if someone created a root kit or whatever that targeted tax prep programs like TurboTax, etc.?

That was exactly the point that I was trying to get at. Who's to say that you couldn't use a software program like TurboTax and have a key logger installed on the same computer.
--

Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
]]> http://www.dslreports.com/forum/remark,18172871 Sat, 14 Apr 2007 22:53:55 EDT Re: Forecast - Massive Storms clouded by Rootkits http://www.dslreports.com/forum/remark,18172660 SpannerITWks : That link goes to - hxxp://64.28.178.4/index.php - and is associated with -

hxxp://free-orgy-movies.com

( This domain name parked on Estparking.com. To buy this domain click here. )

I was on an exact replica of that www - hxxp://moviefresher.com - in the last 1/2 hour, as i found it linked to a Zlob www i was DL'ing from.

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks]]> http://www.dslreports.com/forum/remark,18172660 Sat, 14 Apr 2007 22:16:58 EDT Forecast - Massive Storms clouded by Rootkits http://www.dslreports.com/forum/remark,18172593 mysec : The above subject title from

»www.antirootkit.com/blog/
"The Rootkit component is wincom32.sys"

I permitted the patch file to extract, then re-enabled security to watch it run:

________________________________________________________________

The loading of the rootkit component, driver wincom32.sys (an executable) is blocked. Then I permitted wincom32.sys to install, and it immediately attempted an outbound connection:

_________________________________________________________

A search doesn't reveal the wincom32.sys file.

_________________________________________________________

Also, none of the Registry entries mentioned in the analysis show up.

A final quote from the analysis:

quote:
The latest Storm run was seen on the radar about 6 PM GMT on Thursday and within 24 hours over 55 million emails were sent out by the Worm according to Postini, an email security company. This is over 60 times the normal rate for a “normal” 24 hour period.

The fact that this Storm run is so massive just goes to show that PC users all over the world are opening up encrypted zipped attachments from strangers and running the code.

regards,

-rich

______________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier

]]> http://www.dslreports.com/forum/remark,18172593 Sat, 14 Apr 2007 22:05:15 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18172338 59126125 : Sure the idea is on the paranoid side, but if someone wanted to harvest as much personal info as possible in the shortest amount of time, wouldn't tax time be the prime opportunity? What if someone created a root kit or whatever that targeted tax prep programs like TurboTax, etc.?
--
There is a reason the wires are twisted together, it's called a pair. It defeats the whole purpose of twisted pair cabling by using the solid orange and solid green to wire the jack.]]> http://www.dslreports.com/forum/remark,18172338 Sat, 14 Apr 2007 21:11:24 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18171702 antiphishing :

said by 59126125

:

Isn't it a little strange that this is occurring close to the deadline for filing taxes? Or is it just coincidence? »news.yahoo.com/s/ap/20070414/ap_···JAJvzwcF

Are you referring that internet users will use infected computers, not knowing that their tax information will end up in the hands of cybercriminals through the use of a root kit or key logger

Interesting theory. :D
--

Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
]]> http://www.dslreports.com/forum/remark,18171702 Sat, 14 Apr 2007 19:03:41 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18171023 59126125 : Isn't it a little strange that this is occurring close to the deadline for filing taxes? Or is it just coincidence? »news.yahoo.com/s/ap/20070414/ap_···JAJvzwcF
--
There is a reason the wires are twisted together, it's called a pair. It defeats the whole purpose of twisted pair cabling by using the solid orange and solid green to wire the jack.]]> http://www.dslreports.com/forum/remark,18171023 Sat, 14 Apr 2007 16:42:14 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18170405 Martinus :

said by quatrix

said by Martinus

:

Probably a good idea not to ditch your AV just because you are an eagle to spot grammatical flaws right away.

Eagle? If you read the message, even the first sentence sounds obviously wrong.

Yeah, to you. But probably not to everybody.

I've seen more atrocities committed against the English language in this forum than I though was possible.

People writing "their" when they mean "there", "here, here Microsoft" when they, obviously meant "hear, hear Microsoft", and so on. So yes, a grammar check will quickly give a clue to some but don't expect that'll help everybody.
--
Si naciste pa' martillo del cielo te caen los clavos]]> http://www.dslreports.com/forum/remark,18170405 Sat, 14 Apr 2007 14:09:15 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18169753 quatrix :

said by Martinus

:

Probably a good idea not to ditch your AV just because you are an eagle to spot grammatical flaws right away.

Eagle? If you read the message, even the first sentence sounds obviously wrong.]]> http://www.dslreports.com/forum/remark,18169753 Sat, 14 Apr 2007 11:49:46 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18169518 BosstonesOwn : Yeah for us. What about the normal people.

My email box is full of these because we support windows servers now too. And most of the windows shops are getting hammered with this.
--
"It's always funny until someone gets hurt......and then it's absolutely friggin' hysterical!"]]> http://www.dslreports.com/forum/remark,18169518 Sat, 14 Apr 2007 10:40:53 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18169212 Rickez : Times like this I thank god for common sense.]]> http://www.dslreports.com/forum/remark,18169212 Sat, 14 Apr 2007 09:00:18 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18168634 Blackbird :

said by Martinus

:

English is not my native language but I've seen sentences in these forums - heck. nearly in most forums - by native English speakers with more grammatical or syntactical flaws than the ones you mention.

I don't think grammar can be used as a malware giveaway in this context. For the illustrated, probably. For the rest, I doubt it.

Perhaps I didn't express myself well. I was referring to the fact that phishes, fake patches, and the like all purport to be from established, reputable organizations. But my experience has been that "official" notification messages sent out by legitimate groups have almost always been vetted for basic spelling or grammar... either by spell/grammar checkers or by an educated author. That doesn't mean an error might not pop up in a legitimate message, but it does mean that a collection of obvious errors in a message almost certainly guarantees it's not any kind of official notice being broadcast by a legitimate organization. As a result, whenever I encounter an error-filled, purportedly "official" message, I generally look no further and simply hit the delete button.

Obviously, those with less English-language experience will not be able to do that... but that's why nobody should be opening executables or naively trusting URL links contained in any unsolicited eMail, regardless of language or where they live. And in any case, if the language looks OK, I still practice safe-hex in not opening attachments or assuming links are valid without first cross-checking 100% with the real purported sender by direct, person-to-person or other secure, independent means.

Verify, verify, verify.
--
If God wanted us to work with electrons, He'd make them big enough to see...]]> http://www.dslreports.com/forum/remark,18168634 Sat, 14 Apr 2007 01:54:40 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18167634 antiphishing :

said by pcdebb

:

::sigh:: i already got two people that already installed the "update" and wondered what it was AFTERWARDS :mad:

Once again :(,the combination of naive internet plus social engineering, does equal the slow destruction of the internet.

We all pay for it , in the end. You have to look at the big picture of the whole thing. It's such a sad state when you can allow someone to use the internet, and they don't have
a clue on what is involved with internet security. :( :(
--

Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
]]> http://www.dslreports.com/forum/remark,18167634 Fri, 13 Apr 2007 21:38:17 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18167595 pcdebb : ::sigh:: i already got two people that already installed the "update" and wondered what it was AFTERWARDS :mad:]]> http://www.dslreports.com/forum/remark,18167595 Fri, 13 Apr 2007 21:28:52 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18167094 antiphishing :

said by BosstonesOwn

:

Times like these I thank god for Solaris 10 :)

If I had a choice to move to another operating system, it would be Linux Fedora Red Hat 7. :D :D :D :D :D :D

I mean it's not that I don't like Microsoft Vista :), but the new security exploits are are starting to get a little old now.
--

Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
]]> http://www.dslreports.com/forum/remark,18167094 Fri, 13 Apr 2007 19:50:17 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18165655 BosstonesOwn : Times like these I thank god for Solaris 10 :)]]> http://www.dslreports.com/forum/remark,18165655 Fri, 13 Apr 2007 15:37:23 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18165352 antiphishing :

said by Jameson

:

Yup:
User-Agent:
Thunderbird 1.5.0.9 (Windows/20061207)

EDIT:
However it was From:
Customer Support

One of the patterns that I have been noticing is that Yahoo email accounts are one of the targets. Every email contains the header line "Thunderbird 1.5.0.9 (Windows/20061207)" being sent through zombie machines in Europe and the United States.
--

Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
]]> http://www.dslreports.com/forum/remark,18165352 Fri, 13 Apr 2007 14:40:47 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18165349 kpatz : The "Thunderbird" user-agent header seems to be consistent across this entire spam run. It's probably hard-coded.]]> http://www.dslreports.com/forum/remark,18165349 Fri, 13 Apr 2007 14:40:39 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18165307 Jameson : Yup:
User-Agent:
Thunderbird 1.5.0.9 (Windows/20061207)

EDIT:
However it was From:
ohhsj @ icqmail.com

X-Originating-IP:
[216.141.228.112]
Authentication-Results:
mta121.sbc.mail.mud.yahoo.com from=icqmail.com; domainkeys=neutral (no sig)
Received:
from 207.115.36.76 (EHLO nlpi047.sbcis.sbc.com) (207.115.36.76) by mta121.sbc.mail.mud.yahoo.com with SMTP; Thu, 12 Apr 2007 23:07:56 -0700
X-Header-NoReverseIP:
IP.name.lookup.failed[216.141.228.112]
X-Originating-IP:
[216.141.228.112]]]> http://www.dslreports.com/forum/remark,18165307 Fri, 13 Apr 2007 14:32:17 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18165276 antiphishing :

said by Jameson

:

Got one as well this morning.

The one i got was called removal-8736.zip

Did the email header contain the information "User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)" and was it from a Yahoo email account?

X-Apparently-To: html_edit@yahoo.com via 68.142.198.159; Thu, 12 Apr 2007 11:27:33 -0700
X-YahooFilteredBulk: 162.39.116.180
X-Originating-IP: [162.39.116.180]
Return-Path:
Authentication-Results: mta434.mail.mud.yahoo.com from=med.va.gov; domainkeys=neutral (no sig)
Received: from 162.39.116.180 (HELO h180.116.39.162.ip.alltel.net) (162.39.116.180) by mta434.mail.mud.yahoo.com with SMTP; Thu, 12 Apr 2007 11:27:32 -0700
Received: from vqyhx ([26.84.210.33]) by h180.116.39.162.ip.alltel.net (8.13.4/8.13.4) with SMTP id l3CIm64j074509; Thu, 12 Apr 2007 14:48:06 -0400
Message-ID:
Date: Thu, 12 Apr 2007 14:44:50 -0400
From: "Customer Support Center"
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: html_edit@yahoo.com
Subject: Virus Detected!
Content-Type: multipart/mixed; boundary="------------040808030703010202050005"
Content-Length: 60246

--

Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
]]> http://www.dslreports.com/forum/remark,18165276 Fri, 13 Apr 2007 14:25:31 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18165186 luddite :

said by Martinus

said by Blackbird

:

Purely from the code perspective, yes. But these guys still can't get seem to get their spelling/grammar right: "adress", "becouse", "We recommend you to install...", "We had archived the patch...".

On the flip side I think that bad spelling/grammar is only a tip-off to those who are pretty fluent and proficient with the English language to begin with (which is probably a very small percent of the total users on the internet).

My in-laws don't speak English as their primary language and I would be willing to bet that they would be easily fooled by the supposed 'officialness' of such an email as this. I've had to reformat one PC in their household on two separate occasions so far... No idea how it got infected exactly (I suspect pr0n sites) but I wouldn't be surprised to find out they fell for some such email attack such as this.

I guess what I'm trying to say is that there are many, many, many people out there on the internet for which English is not their primary language and this email will not be viewed as an obvious 'scam' simply due to poor grammar. ]]> http://www.dslreports.com/forum/remark,18165186 Fri, 13 Apr 2007 14:08:25 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18165147 kpatz : That's been one busy robot. :D

These "Storm Worm" variants are one of the few items that seem to be able to regularly "punch-through" my greylister. Good thing that it hits F-prot when it reaches my mail server and then NOD32 when it gets downloaded to the desktop.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK.]]> http://www.dslreports.com/forum/remark,18165147 Fri, 13 Apr 2007 13:58:35 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18165115 Jameson : Got one as well this morning.

The one i got was called removal-8736.zip

]]> http://www.dslreports.com/forum/remark,18165115 Fri, 13 Apr 2007 13:50:49 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18165071 Martinus :

said by kpatz

said by Martinus

:

I don't think grammar can be used as a malware giveaway in this context. For the illustrated, probably. For the rest, I doubt it.

Yes. If it's well written, it probably comes from MS PR monkeys :)

But, hey, malware writers will probably get it grammatically right at some point by trial and error.

Probably a good idea not to ditch your AV just because you are an eagle to spot grammatical flaws right away.
--
Si naciste pa' martillo del cielo te caen los clavos]]> http://www.dslreports.com/forum/remark,18165071 Fri, 13 Apr 2007 13:41:26 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18165030 kpatz :

said by Martinus

:

I don't think grammar can be used as a malware giveaway in this context. For the illustrated, probably. For the rest, I doubt it.

So far, every piece of malware I've received in email has had lousy spelling or grammar in the message, if there is a message at all.

So, if you receive an email that is well written, spelled correctly, no typos, and no grammatical errors, chances are it wasn't created by a spammer or a virus/worm. :)
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK.]]> http://www.dslreports.com/forum/remark,18165030 Fri, 13 Apr 2007 13:32:31 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18165015 Martinus :

said by Blackbird

English is not my native language but I've seen sentences in these forums - heck. nearly in most forums - by native English speakers with more grammatical or syntactical flaws than the ones you mention.

I don't think grammar can be used as a malware giveaway in this context. For the illustrated, probably. For the rest, I doubt it.
--
Si naciste pa' martillo del cielo te caen los clavos]]> http://www.dslreports.com/forum/remark,18165015 Fri, 13 Apr 2007 13:29:42 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18164892 psloss :

said by Blackbird

:

If the creative coders ever hooked up with good writers, these things probably wouldn't be as easy to spot simply on the basis of the goofy message texts.

True, but those folks do hook up for different "campaigns."

These e-mails are more than sufficiently effective on the users they are targeting, idiosyncrasies and all. The Storm Worm group did very well using pure EXE attachments in January; just about anyone that fell for that is likely to fall for this, too.
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,18164892 Fri, 13 Apr 2007 13:07:22 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18164449 DrModem : I got that the other day, recognized it as a virus and took care of it. It's too corny to fool me lol.]]> http://www.dslreports.com/forum/remark,18164449 Fri, 13 Apr 2007 11:30:40 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18164266 kpatz :

said by antiphishing

:

My thoughts exactly.

If that ever happens, it will be the end of the Internet, since no one who receives an email with correct spelling and grammar is going to think it contains a virus. :D
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK.]]> http://www.dslreports.com/forum/remark,18164266 Fri, 13 Apr 2007 10:50:26 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18164257 antiphishing :

said by Blackbird

:

said by Link Logger

:

If the creative coders ever hooked up with good writers, these things probably wouldn't be as easy to spot simply on the basis of the goofy message texts.

My thoughts exactly. :D
--

Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
]]> http://www.dslreports.com/forum/remark,18164257 Fri, 13 Apr 2007 10:48:04 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18163053 Blackbird :

said by Link Logger

:

... This is an attack with a higher level of sophistication then the usual slash and dump as someone did some coding on this.

Purely from the code perspective, yes. But these guys still can't get seem to get their spelling/grammar right: "adress", "becouse", "We recommend you to install...", "We had archived the patch...".

If the creative coders ever hooked up with good writers, these things probably wouldn't be as easy to spot simply on the basis of the goofy message texts.
--
If God wanted us to work with electrons, He'd make them big enough to see...]]> http://www.dslreports.com/forum/remark,18163053 Fri, 13 Apr 2007 01:36:37 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18162540 Link Logger : NOD32 picked it up when you try to unpack it as the zip file is password protected so no AV is going to detect it in that state, its when it unpacks that is when your AV should pick it up.

We are going to see a lot of these as it using the typical randomly generated user ids married up with the domain name, ditto for the reply so if you bounce it, some other unsuspecting Joe might get it as a bounced email. The usual distribution method.

It actually an interesting attack in that it takes the malware zips it up with password protection where the password is randomly generated and an accompanying gif is generated and packaged with the password. Thus far the passwords all have the same pattern 3 letters followed by 2 digits. This is an attack with a higher level of sophistication then the usual slash and dump as someone did some coding on this.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool]]> http://www.dslreports.com/forum/remark,18162540 Thu, 12 Apr 2007 23:20:05 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18162370 garys_2k : I just submitted the zip file to virustotal and pitifully few scanners picked it up. My Avira Antivir passed it right by - maybe the encryption fooled it.]]> http://www.dslreports.com/forum/remark,18162370 Thu, 12 Apr 2007 22:46:26 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18162097 rotty97 : LOL, the .exe "patch" has to unpack at sometime to run..............]]> http://www.dslreports.com/forum/remark,18162097 Thu, 12 Apr 2007 21:56:32 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18161351 rds24a : Several different builds of KIS 6 seem to have no problems deleting it. I've seen around 10 of them at three different locations....all on rr.com
--
All hail JoePa]]> http://www.dslreports.com/forum/remark,18161351 Thu, 12 Apr 2007 19:44:01 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18161332 antiphishing :

said by kpatz

:

Just got another one, in my Yahoo account this time.

Attached file is Patch_2119.zip.

A massive spam outbreak that tries to trick recipients into opening a file attachment that can hijack their computers has already broken records, security companies said today. Researchers at Postini Inc. said the spam run is the largest in the last 12 months....
»cwflyris.computerworld.com/t/144···59068/2/
--

Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645

]]> http://www.dslreports.com/forum/remark,18161332 Thu, 12 Apr 2007 19:40:24 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18161183 antiphishing :

said by boognish

:

Our exchange server is getting pounded by this one today. I normally see maybe 50 virus warnings from the exchange server a day. Today it has been well over 2000. I have been blocking certain IPs but haven't had a chance to go put some rules in spamassassin to block which I need to do.

Subject Support Team Virus Activity Detected! 60k
Subject Customer Support Center Virus Detected! 60k
Subject Arthur A Is For Attitude 70k
Subject welfare Our Love Nest 70k
--

Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
]]> http://www.dslreports.com/forum/remark,18161183 Thu, 12 Apr 2007 19:09:57 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18160411 boognish : Our exchange server is getting pounded by this one today. I normally see maybe 50 virus warnings from the exchange server a day. Today it has been well over 2000. I have been blocking certain IPs but haven't had a chance to go put some rules in spamassassin to block which I need to do.]]> http://www.dslreports.com/forum/remark,18160411 Thu, 12 Apr 2007 16:37:53 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18160282 kpatz : Just got another one, in my Yahoo account this time.

Attached file is Patch_2119.zip.

]]> http://www.dslreports.com/forum/remark,18160282 Thu, 12 Apr 2007 16:16:06 EDT Re: Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18160260 kpatz : Not just Yahoo accounts, I'm seeing them on my personal email too.

It's the latest variant of the Mixor/Nuwar/"Storm Worm" outbreak that's been hitting this week (name varies widely by AV vendor).

Whatever is sending them (worm or spambot) is pretty adept at punching through my greylister too. Fortunately I have multiple layers of virus scanning on my personal email as well. :)

Up until now they've all been just straight .exe attachments, but this latest one has taken the Bagle approach of sending itself as a password-protected zip attachment. The upside is my email anti-virus setup strips encrypted zips, so no definition updates are needed.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK.]]> http://www.dslreports.com/forum/remark,18160260 Thu, 12 Apr 2007 16:11:53 EDT Warning regarding fake malware patch 'patch_4723.zip ' http://www.dslreports.com/forum/remark,18160227 antiphishing : The file 'patch_4723.zip' is being sent to yahoo accounts telling internet users to install the attactment as a patch.

Date: Thu, 12 Apr 2007 20:38:44 +0200
From: "Postmaster"
Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: sgtpepper_1967@yahoo.com
Subject: ATTN!

File name: patch_4723.zip
File size: 38kb
File type: application/octet-stream
--

Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645

]]> http://www.dslreports.com/forum/remark,18160227 Thu, 12 Apr 2007 16:06:44 EDT