Broadband Tech > Security > Scam and Phishbusters > [Phish] email from CDC "personal vaccination profile"

[Phish] email from CDC "personal vaccination profile"

quote:

---

.

You have received this e-mail because of the launching of State Vaccination H1N1 Program.
You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people.

Create your Personal H1N1 Vaccination Profile using the link:

http://online.cdc.gov.nyugewn.be/h1n1flu/profile.php?&session_id=99590321188358936408690441704006503511632965498306089994694&email=redacted@aol.com 
 

Create Personal Profile

---

Centers for Disease Control and Prevention (CDC) · 1600 Clifton Rd · Atlanta GA 30333 · 800-CDC-INFO (800-232-4636)

---

quote:

---

Return-Path:
X-Original-To: homes@dennisjudd.com
Delivered-To: djudd@blackraven.com
Received: from h081217115121.dyn.cm.kabsi.at (h081217115121.dyn.cm.kabsi.at [81.217.115.121])
by blackraven.com (Postfix) with ESMTP id 2C5F696B56
for ; Tue, 1 Dec 2009 10:10:29 -0600 (CST)
Message-ID:
From: "Centers for Disease Control and Prevention"
To:
Subject: Instructions on creation of your personal Vaccination Profile
Date: Tue, 1 Dec 2009 17:10:14 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01CA72A0.C43C2410"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

---

Well, it wants you to download a vaccination report, which is an executable.

Probably no phish, but malware.

reply to Dennis
Firefox has the site flagged.

If you go to the site, you will see:

Your Personal H1N1 Vaccinating Profile is an electronic document, which contains your name, your contact details and your medical data (what kind of illnesses you have sustained in your childhood or what kind of allergy you have to some certain drug). All instructions you need are included in the archive below:

The file is:

"http://DO NOT DOWNLOAD THIS FILE/h1n1flu/vacc_profile.exe"
--
Yes. the cat in my avatar is indeed mine.

reply to Dennis

reply to Dennis
Yes, I received this email as well. I fell for it and got a virus. DO NOT CLICK ON THIS LINK!!

reply to Dennis
Has anyone downloaded the executable on this and submitted it to VirusTotal or Jotti? I would be curious to see what malware it is and how well it is detected by the 40 major AV apps.

Although if I were to guess, my first one would be the Zeus/zBot trojan.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

reply to Dennis
Less than a 10% current detection rate on the Virus Total submit:»www.virustotal.com/analisis/be45···59688624

Appears to be a fresh version of a banking infostealer / backdoor/ keylogger.

MGD

reply to Dennis
There are currently two of those "phish" on phishtracker. They come from the rock phishers. They try to run a Windows executable "vacc_profile.exe" and at present AV detection of this is weak. See also »phish #42363 - malware alert
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.0; firefox 3.0.15

I see Phish submit 42363:»/phishtrack?pi···3&urls=1 is for the same NYUGEWN.BE fraud domain, while Phish submit 42364:»/phishtrack?pi···4&urls=1 is for a fraud domain YHNBAM.CO.IM

The fraudulently registered NYUGEWN.BE per ICANN regulations is eligible for immediate revocation:

===================================
Domain Name NYUGEWN.BE
Status REGISTERED
Registered December 1, 2009
Last update December 1, 2009 1:57 PM

Licensee
Name: Tom McCarthy
Organisation: Tom McCarthy

Language English

Address: 13895 Keiber Rd.,
48838 Antwerp
Belgium

Phone +32.7812713

Email rickys36246@hotmail.com

Agent technical contacts:

Name Active 24 ASA - Registry Department
Organisation Active 24 ASA

Language English:

Address Pilestredet 75C
P.O. box 5198 Majorstua
N-0302 Oslo
Norway
Phone +47.21933000
Fax +47.21933001
Email registry[@]registry.active24.com

Agent
Organisation Active 24 ASA

Website www.active24.be/
Nameservers

ns1.davies-estates.com
ns1.pandachine.com
===================================
File: registry[@]registry.active24.com & »www.dns.be/public/whois/FileComp···=nyugewn

The fraudulent registration listing as being in Antwerp, Belgium., belongs to this individual / business:

Outdoor Optic Shop

Tom McCarthy
13895 Keiber Rd.
Greenville, Mi 48838
616-754-5530

»www.armedforcesjournal.com/black···irectory

Not sure if the owner's card data was used for payment.

The DNS servers domains are the best targets, since these phish viri spams are bot mailed, and bot hosted. Also likely to be fast flux dns.

MGD

reply to Dennis

reply to Dennis
Infostealer.Banker.C according to SAV 10 defs 12/1/2009 rev24

That sounds right. It is apparently a new variant that few AVs are catching.

reply to Dennis
No I have not, if I see anything like this - use the delete button.

OTOH - it is good for someone as yourself to see how this thing works - malware load? or social engineering?
--
Darn, its gettin that time to go to Wallymart to gits me picture taken agin.

reply to Dennis
Dear god they just don't stop...I'm just constantly getting them (and submitting them to phish tracker). If this keeps up I'm gonna setup a rule in outlook.

Good post Dennis
I sent it over to Threat Expert's sandbox, this is vicious, lethal, and will do some serious damage, excellent analysis:

ThreatExpert···Mods.txt 22318 bytes

My desktop doesn't even know what the heck an "EXE" is, so no big deal there

reply to nwrickert

reply to Dennis
We got 10 of these within 20 minutes in 3 different email boxes. Our boss (Luddite) almost clicked on his.