Dennis
Premium,Mod
join:2001-01-26
Algonquin, IL
 ·AT&T Yahoo
Host:
Chicago
Users find Hot Deals
Users find Hot Dea..
Requests for Hot D..
Home Repair & Impr..
edit:
August 20th, @10:43PM
| [Phish] Login Information
wow.....new form of phish eh?
quote:
Welcome,
Welcome To Cat Lovers.
Membership Number: 498166731
Temorary Login: user8761
Temp Password ID: xe852
Your temporary Login Info will expire in 24 hours. Please login and change it.
Follow this Link: »74.10 2.159.18 8/
Welcome,
Confirmation Dept.
Cat Lovers
if you go there you get this crap:
quote:
If you do not see the secure login window please install our secure login applet
--
My Blog. Because I desperately need the acknowledgement of others.
Mainegirl and my Beer Review's |
|
BangBang
join:2000-07-05
West New York, NJ | Just had same in my box but it was called Web Connects instead of cat lovers. Came thru an open proxy from an sbc account |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T Midwest
| reply to Dennis
That appears to be the same as phish #16057 on our phishtracker (or a variation).
I couldn't check the phish url for #16057, since it times out. From your description, I would say that it isn't a phish at all, but an attempt to trick you into installing malware.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.5 |
|
pleekmo
Triptoe Through The Tulips
Premium
join:2001-09-14
Manchester, CT
clubs:
·AT&T DSL Service
| reply to Dennis
I sent a similar one to Phishtracker. I'll still be sending them to phishtracker until I learn whether this is an attempt at malware installation or truly a phish.
--
HCN: Because you deserve a rest!
Proud member of the Free Omelas Liberation Front. |
|
Kalford
Seems To Be An Rtfm Problem.
Premium,MVM
join:2001-03-20
Ontario | reply to Dennis
Norton anti-virus detects the applet.exe file generically as Trojan.Packed.13. A different variant of the storm virus perhaps?
--
Through My Eyes |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T Midwest
| reply to Dennis
I downloaded "applet.exe" based on the link in Dennis's email. Then I submitted for malware checking:
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.5 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | reply to Dennis
I checked my mailboxes, and found a bunch of variants of this. |
|
citizensin
The Deacon of the Bipartisan Party
Premium
join:2001-06-19
Fayette City, PA
edit:
August 21st, @07:30AM
| reply to Dennis
ditto here....
Dear Member,
Here is your membership info for Online Hook-Up.
Account Number: 121638814123
Temorary Login: user3444
Your Password ID: cd798
For security purposes please login and change the temporary Login ID and Password.
Use this link to change your Login info: »76.205. 73.48/
Thank You,
Confirmation Dept.
Online Hook-Up |
|
Zaber
When all are gone, there shall be none
join:2000-06-08
Cleveland, OH
clubs:
·Expedient
·XO COMMUNICATIONS
·AT&T Midwest
| reply to Dennis
I just received this one form "web joker." The URL given is hxxp://76.84.52.37/ and when I try to go there it also attempts to run something in media player.
Message:
Welcome Member,
Thank You for Joining Web Joker.
Membership Number: 378812391
Temorary Login: user3138
Temorary Password: on858
For security purposes please login and change the temporary Login ID and Password.
Click here to enter our secure server: hxxp://76.84.52.37/
Enjoy,
Membership Services
Web Joker
and the headers are:
X-YahooFilteredBulk: 67.59.37.117
X-Originating-IP: [67.59.37.117]
Authentication-Results: mta133.sbc.mail.mud.yahoo.com from=uabafn; domainkeys=neutral (no sig)
Received: from 207.115.36.75 (EHLO nlpi046.prodigy.net) (207.115.36.75)
by mta133.sbc.mail.mud.yahoo.com with SMTP; Mon, 20 Aug 2007 22:38:50 -0700
X-Header-NoReverseIP: Cannot.resolve.PTR.record.67.59.37.117
X-Originating-IP: [67.59.37.117]
Received: from uabafn ([67.59.37.117])
by nlpi046.prodigy.net (8.13.8 inb/8.13.8) with SMTP id l7L5cTud008522
for ; Tue, 21 Aug 2007 00:38:30 -0500
Received: from iqjejnznr by uabafn with local (Exim 4.62 (FreeBSD))
id 1INMS-00054W-V3
for XXXX@ameritech.net; Tue, 21 Aug 2007 01:38:44 -0400
To:
Subject: Login Information
From: "Web Joker"
Content-Type: text/plain;charset=windows-1252
Content-Transfer-Encoding: 7BIT
Message-Id:
Sender: User iqjejnznr
Date: Tue, 21 Aug 2007 01:38:44 -0400
--
Give a man a fish and he eats for a day, teach a man to fish and he will feed himself for a lifetime |
|
Kalford
Seems To Be An Rtfm Problem.
Premium,MVM
join:2001-03-20
Ontario
 ·Rogers Hi-Speed
edit:
August 21st, @11:32AM
| reply to Dennis
kpatz  has suggested a rather clean and effective way to get rid of this crap.
»Re: Fake e-card viruses getting harder to stop
--
Through My Eyes |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH | reply to Zaber
This isn't a phish at all, just another pathetic Storm Worm attempt to spread malware.
I filter any email with IP address hyperlinks in them, which stops these dead in its tracks. |
|
Dennis
Premium,Mod
join:2001-01-26
Algonquin, IL | That was a good suggestion, worked like a charm here. |
|
Dennis
Premium,Mod
join:2001-01-26
Algonquin, IL
·AT&T Yahoo
Host:
Chicago
Users find Hot Deals
Users find Hot Dea..
Requests for Hot D..
Home Repair & Impr..
edit:
August 21st, @04:29PM
| reply to kpatz
said by kpatz :I filter any email with IP address hyperlinks in them, which stops these dead in its tracks. I liked your idea so much, I made a quick walk through for Outlook and Outlook Express...my hope is that anybody who does a search for this dreck will find my post and hopefully use it.
If it stops one person from getting hit...totally worth it...
»www.dennisjudd.com/2007/08/how_t···ard.html
--
My Blog. Because I desperately need the acknowledgement of others.
Mainegirl and my Beer Review's |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
edit:
August 22nd, @12:12AM
| reply to Dennis
Yes indeed another mass Stormworm. Apparently somones botnet inventory needs replenishing.
I got the bartender version:
quote:
From: "Bartenders Guide" stir_of_echoes@cossdev.com
Subject: Login Verification
Welcome,
Welcome To Bartenders Guide.
Membership Number: 193995126447
Temp Login ID: user9222
Password ID: ia226
Please Change your login and change your Login Information.
Follow this Link: >http://194.67.142.183/
Enjoy,
New Member Technical Support
Bartenders Guide
Even though Kaspersky apparently did not detect it in nwrickert 's submit above, from looking through the page source code these criminals appear to have an issue with that AV.
source code from 194.67.142.183
EDIT= Removed buffer overflow data
MGD |
|
pleekmo
Triptoe Through The Tulips
Premium
join:2001-09-14
Manchester, CT
clubs:
·AT&T DSL Service
| reply to Dennis
At least this particular variant is unique enough for me to explicitly identify which virus/trojan it originates from. I'm receiving about five per half-day now per spammed e-mail address. In some cases this amounts to about one-fifth of all spam.
--
HCN: Because you deserve a rest!
Proud member of the Free Omelas Liberation Front. |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
·RoadRunner Cable
·AT&T Yahoo
| reply to MGD
said by MGD :Yes indeed another mass Stormworm. Apparently somones botnet inventory needs replenishing. Most likely Leo Kuvayev's (I'm guessing here, but I might
be very close to the mark when I say it's him. Malware
and botnets seem to be among his favorite tactics.)
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
|
|
Gamer
join:2006-12-09
Phoenix, AZ
·Cox HSI
| reply to pleekmo
said by pleekmo :At least this particular variant is unique enough for me to explicitly identify which virus/trojan it originates from. I'm receiving about five per half-day now per spammed e-mail address. In some cases this amounts to about one-fifth of all spam. I'm seeing upwards of 50/day now myself, it's getting rediculous |
|
SatManWorkin
You Want Fries With That?
Premium
join:2002-04-15
Tallahassee, FL | I've had 72 since 9pm last night, this must be a record! |
|
Gamer
join:2006-12-09
Phoenix, AZ
·Cox HSI
| It gets worse: It's now picking random domains for the 'from' address.
I've just started recieving more than 1000 bounce messages/minute at my domain, poor spamd just flat out puked 
Fortunately, it seems to have picked four random prefixes for the addresses making them easy to filter. |
|
Devanchya
Smile
Premium
join:2003-12-09
Pickering, ON
·Bell Sympatico
| reply to Dennis
I have 2050 in my inbox right now. It's 3 days worth.
I can't ban all url's due to work but I am finding it easy at this point to ban url's with just IP's in the name.
--
»www.codecipher.com - Marking the way to tomorrow's solutions |
|
