antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
|  Warning regarding fake malware patch 'patch_4723.zip '
Date: Thu, 12 Apr 2007 20:38:44 +0200
From: "Postmaster"
Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: sgtpepper_1967@yahoo.com
Subject: ATTN!
File name: patch_4723.zip
File size: 38kb
File type: application/octet-stream
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
| |
|
 kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
2 edits | Re: Warning regarding fake malware patch 'patch_4723.zip ' Not just Yahoo accounts, I'm seeing them on my personal email too.
It's the latest variant of the Mixor/Nuwar/"Storm Worm" outbreak that's been hitting this week (name varies widely by AV vendor).
Whatever is sending them (worm or spambot) is pretty adept at punching through my greylister too. Fortunately I have multiple layers of virus scanning on my personal email as well. 
Up until now they've all been just straight .exe attachments, but this latest one has taken the Bagle approach of sending itself as a password-protected zip attachment. The upside is my email anti-virus setup strips encrypted zips, so no definition updates are needed.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. | |
|
 | kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Re: Warning regarding fake malware patch 'patch_4723.zip ' Just got another one, in my Yahoo account this time.
Attached file is Patch_2119.zip. | |
|
| |
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
1 edit | Re: Warning regarding fake malware patch 'patch_4723.zip ' said by kpatz  :Just got another one, in my Yahoo account this time. Attached file is Patch_2119.zip. A massive spam outbreak that tries to trick recipients into opening a file attachment that can hijack their computers has already broken records, security companies said today. Researchers at Postini Inc. said the spam run is the largest in the last 12 months....
»cwflyris.computerworld.com/t/144···59068/2/
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
| |
|
boognish
Premium
join:2001-09-26
Baton Rouge, LA
clubs:
1 edit | Our exchange server is getting pounded by this one today. I normally see maybe 50 virus warnings from the exchange server a day. Today it has been well over 2000. I have been blocking certain IPs but haven't had a chance to go put some rules in spamassassin to block which I need to do. | |
|
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| Re: Warning regarding fake malware patch 'patch_4723.zip ' said by boognish :Our exchange server is getting pounded by this one today. I normally see maybe 50 virus warnings from the exchange server a day. Today it has been well over 2000. I have been blocking certain IPs but haven't had a chance to go put some rules in spamassassin to block which I need to do. Subject Support Team Virus Activity Detected! 60k
Subject Customer Support Center Virus Detected! 60k
Subject Arthur A Is For Attitude 70k
Subject welfare Our Love Nest 70k
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
| |
|
rds24a
Teach Your Children
Premium
join:2000-12-13
Springboro, OH
clubs:
1 edit | Several different builds of KIS 6 seem to have no problems deleting it. I've seen around 10 of them at three different locations....all on rr.com
--
All hail JoePa | |
|
| rotty97
join:2005-06-30
Australia | Re: Warning regarding fake malware patch 'patch_4723.zip ' LOL, the .exe "patch" has to unpack at sometime to run.............. | |
|
garys_2k
join:2004-05-07
Farmington, MI | I just submitted the zip file to virustotal and pitifully few scanners picked it up. My Avira Antivir passed it right by - maybe the encryption fooled it. | |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| NOD32 picked it up when you try to unpack it as the zip file is password protected so no AV is going to detect it in that state, its when it unpacks that is when your AV should pick it up.
We are going to see a lot of these as it using the typical randomly generated user ids married up with the domain name, ditto for the reply so if you bounce it, some other unsuspecting Joe might get it as a bounced email. The usual distribution method.
It actually an interesting attack in that it takes the malware zips it up with password protection where the password is randomly generated and an accompanying gif is generated and packaged with the password. Thus far the passwords all have the same pattern 3 letters followed by 2 digits. This is an attack with a higher level of sophistication then the usual slash and dump as someone did some coding on this.
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool | |
|
| 
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
 ·Verizon Online DSL
| Re: Warning regarding fake malware patch 'patch_4723.zip ' said by Link Logger :... This is an attack with a higher level of sophistication then the usual slash and dump as someone did some coding on this. Purely from the code perspective, yes. But these guys still can't get seem to get their spelling/grammar right: "adress", "becouse", "We recommend you to install...", "We had archived the patch...".
If the creative coders ever hooked up with good writers, these things probably wouldn't be as easy to spot simply on the basis of the goofy message texts.
--
If God wanted us to work with electrons, He'd make them big enough to see... | |
|
| |
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| Re: Warning regarding fake malware patch 'patch_4723.zip ' said by Blackbird :said by Link Logger :If the creative coders ever hooked up with good writers, these things probably wouldn't be as easy to spot simply on the basis of the goofy message texts. My thoughts exactly. 
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
| |
|
| | | kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
2 edits | Re: Warning regarding fake malware patch 'patch_4723.zip ' said by antiphishing :My thoughts exactly. If that ever happens, it will be the end of the Internet, since no one who receives an email with correct spelling and grammar is going to think it contains a virus.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. | |
|
| | psloss
Premium
join:2002-02-24
Alpharetta, GA
| said by Blackbird :If the creative coders ever hooked up with good writers, these things probably wouldn't be as easy to spot simply on the basis of the goofy message texts. True, but those folks do hook up for different "campaigns."
These e-mails are more than sufficiently effective on the users they are targeting, idiosyncrasies and all. The Storm Worm group did very well using pure EXE attachments in January; just about anyone that fell for that is likely to fall for this, too.
--
Feedback? e-mail: stuff@lupwa.org | |
|
| | 
Martinus
Premium
join:2001-08-06
EU
| said by Blackbird : Purely from the code perspective, yes. But these guys still can't get seem to get their spelling/grammar right: "adress", "becouse", "We recommend you to install...", "We had archived the patch...". English is not my native language but I've seen sentences in these forums - heck. nearly in most forums - by native English speakers with more grammatical or syntactical flaws than the ones you mention.
I don't think grammar can be used as a malware giveaway in this context. For the illustrated, probably. For the rest, I doubt it.
--
Si naciste pa' martillo del cielo te caen los clavos | |
|
| | | kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Re: Warning regarding fake malware patch 'patch_4723.zip ' said by Martinus :I don't think grammar can be used as a malware giveaway in this context. For the illustrated, probably. For the rest, I doubt it. So far, every piece of malware I've received in email has had lousy spelling or grammar in the message, if there is a message at all.
So, if you receive an email that is well written, spelled correctly, no typos, and no grammatical errors, chances are it wasn't created by a spammer or a virus/worm.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. | |
|
| | | |
Martinus
Premium
join:2001-08-06
EU
| Re: Warning regarding fake malware patch 'patch_4723.zip ' said by kpatz :said by Martinus :I don't think grammar can be used as a malware giveaway in this context. For the illustrated, probably. For the rest, I doubt it. So far, every piece of malware I've received in email has had lousy spelling or grammar in the message, if there is a message at all. So, if you receive an email that is well written, spelled correctly, no typos, and no grammatical errors, chances are it wasn't created by a spammer or a virus/worm. Yes. If it's well written, it probably comes from MS PR monkeys
But, hey, malware writers will probably get it grammatically right at some point by trial and error.
Probably a good idea not to ditch your AV just because you are an eagle to spot grammatical flaws right away.
--
Si naciste pa' martillo del cielo te caen los clavos | |
|
| | | | | quatrix
Premium
join:2005-02-11
Davie, FL
| Re: Warning regarding fake malware patch 'patch_4723.zip ' said by Martinus :Probably a good idea not to ditch your AV just because you are an eagle to spot grammatical flaws right away. Eagle? If you read the message, even the first sentence sounds obviously wrong. | |
|
| | | | | |
Martinus
Premium
join:2001-08-06
EU
| Re: Warning regarding fake malware patch 'patch_4723.zip ' said by quatrix :said by Martinus :Probably a good idea not to ditch your AV just because you are an eagle to spot grammatical flaws right away. Eagle? If you read the message, even the first sentence sounds obviously wrong. Yeah, to you. But probably not to everybody.
I've seen more atrocities committed against the English language in this forum than I though was possible.
People writing "their" when they mean "there", "here, here Microsoft" when they, obviously meant "hear, hear Microsoft", and so on. So yes, a grammar check will quickly give a clue to some but don't expect that'll help everybody.
--
Si naciste pa' martillo del cielo te caen los clavos | |
|
| | | 
luddite
join:2001-09-09
Allen, TX
| said by Martinus :said by Blackbird : Purely from the code perspective, yes. But these guys still can't get seem to get their spelling/grammar right: "adress", "becouse", "We recommend you to install...", "We had archived the patch...". English is not my native language but I've seen sentences in these forums - heck. nearly in most forums - by native English speakers with more grammatical or syntactical flaws than the ones you mention. I don't think grammar can be used as a malware giveaway in this context. For the illustrated, probably. For the rest, I doubt it. On the flip side I think that bad spelling/grammar is only a tip-off to those who are pretty fluent and proficient with the English language to begin with (which is probably a very small percent of the total users on the internet).
My in-laws don't speak English as their primary language and I would be willing to bet that they would be easily fooled by the supposed 'officialness' of such an email as this. I've had to reformat one PC in their household on two separate occasions so far... No idea how it got infected exactly (I suspect pr0n sites) but I wouldn't be surprised to find out they fell for some such email attack such as this.
I guess what I'm trying to say is that there are many, many, many people out there on the internet for which English is not their primary language and this email will not be viewed as an obvious 'scam' simply due to poor grammar. | |
|
| | |
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
·Verizon Online DSL
| said by Martinus :English is not my native language but I've seen sentences in these forums - heck. nearly in most forums - by native English speakers with more grammatical or syntactical flaws than the ones you mention. I don't think grammar can be used as a malware giveaway in this context. For the illustrated, probably. For the rest, I doubt it. Perhaps I didn't express myself well. I was referring to the fact that phishes, fake patches, and the like all purport to be from established, reputable organizations. But my experience has been that "official" notification messages sent out by legitimate groups have almost always been vetted for basic spelling or grammar... either by spell/grammar checkers or by an educated author. That doesn't mean an error might not pop up in a legitimate message, but it does mean that a collection of obvious errors in a message almost certainly guarantees it's not any kind of official notice being broadcast by a legitimate organization. As a result, whenever I encounter an error-filled, purportedly "official" message, I generally look no further and simply hit the delete button.
Obviously, those with less English-language experience will not be able to do that... but that's why nobody should be opening executables or naively trusting URL links contained in any unsolicited eMail, regardless of language or where they live. And in any case, if the language looks OK, I still practice safe-hex in not opening attachments or assuming links are valid without first cross-checking 100% with the real purported sender by direct, person-to-person or other secure, independent means.
Verify, verify, verify.
--
If God wanted us to work with electrons, He'd make them big enough to see... | |
|
DrModem
Premium
join:2006-10-19
USA | I got that the other day, recognized it as a virus and took care of it. It's too corny to fool me lol. | |
|
|
| kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Re: Warning regarding fake malware patch 'patch_4723.zip ' That's been one busy robot.
These "Storm Worm" variants are one of the few items that seem to be able to regularly "punch-through" my greylister. Good thing that it hits F-prot when it reaches my mail server and then NOD32 when it gets downloaded to the desktop.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. | |
|
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
1 edit | said by Jameson :Got one as well this morning. The one i got was called removal-8736.zip Did the email header contain the information "User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)" and was it from a Yahoo email account?
X-Apparently-To: html_edit@yahoo.com via 68.142.198.159; Thu, 12 Apr 2007 11:27:33 -0700
X-YahooFilteredBulk: 162.39.116.180
X-Originating-IP: [162.39.116.180]
Return-Path:
Authentication-Results: mta434.mail.mud.yahoo.com from=med.va.gov; domainkeys=neutral (no sig)
Received: from 162.39.116.180 (HELO h180.116.39.162.ip.alltel.net) (162.39.116.180) by mta434.mail.mud.yahoo.com with SMTP; Thu, 12 Apr 2007 11:27:32 -0700
Received: from vqyhx ([26.84.210.33]) by h180.116.39.162.ip.alltel.net (8.13.4/8.13.4) with SMTP id l3CIm64j074509; Thu, 12 Apr 2007 14:48:06 -0400
Message-ID:
Date: Thu, 12 Apr 2007 14:44:50 -0400
From: "Customer Support Center"
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: html_edit@yahoo.com
Subject: Virus Detected!
Content-Type: multipart/mixed; boundary="------------040808030703010202050005"
Content-Length: 60246
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
| |
|
|
| kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH | Re: Warning regarding fake malware patch 'patch_4723.zip ' The "Thunderbird" user-agent header seems to be consistent across this entire spam run. It's probably hard-coded. | |
|
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| said by Jameson :Yup: User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) EDIT: However it was From: Customer Support One of the patterns that I have been noticing is that Yahoo email accounts are one of the targets. Every email contains the header line "Thunderbird 1.5.0.9 (Windows/20061207)" being sent through zombie machines in Europe and the United States.
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
| |
|
BosstonesOwn
join:2002-12-15
Everett, MA
clubs: | Times like these I thank god for Solaris 10 | |
|
| |
| 
Rickez
Goinginsane
join:2000-09-02
Three Rivers, MA | Times like this I thank god for common sense. | |
|
| | BosstonesOwn
join:2002-12-15
Everett, MA
clubs:
·Comcast
| Re: Warning regarding fake malware patch 'patch_4723.zip ' Yeah for us. What about the normal people.
My email box is full of these because we support windows servers now too. And most of the windows shops are getting hammered with this.
--
"It's always funny until someone gets hurt......and then it's absolutely friggin' hysterical!" | |
|
|
| |
59126125
Premium
join:2006-01-21
clubs:
1 edit | Isn't it a little strange that this is occurring close to the deadline for filing taxes? Or is it just coincidence? »news.yahoo.com/s/ap/20070414/ap_···JAJvzwcF
--
There is a reason the wires are twisted together, it's called a pair. It defeats the whole purpose of twisted pair cabling by using the solid orange and solid green to wire the jack. | |
|
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| Re: Warning regarding fake malware patch 'patch_4723.zip ' Are you referring that internet users will use infected computers, not knowing that their tax information will end up in the hands of cybercriminals through the use of a root kit or key logger
Interesting theory.
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
| |
|
| |
59126125
Premium
join:2006-01-21
clubs:
1 edit | Re: Warning regarding fake malware patch 'patch_4723.zip ' Sure the idea is on the paranoid side, but if someone wanted to harvest as much personal info as possible in the shortest amount of time, wouldn't tax time be the prime opportunity? What if someone created a root kit or whatever that targeted tax prep programs like TurboTax, etc.?
--
There is a reason the wires are twisted together, it's called a pair. It defeats the whole purpose of twisted pair cabling by using the solid orange and solid green to wire the jack. | |
|
| | |
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| Re: Warning regarding fake malware patch 'patch_4723.zip ' said by 59126125 :Sure the idea is on the paranoid side, but if someone wanted to harvest as much personal info as possible in the shortest amount of time, wouldn't tax time be the prime opportunity? What if someone created a root kit or whatever that targeted tax prep programs like TurboTax, etc.? That was exactly the point that I was trying to get at. Who's to say that you couldn't use a software program like TurboTax and have a key logger installed on the same computer.
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
| |
|
|
| 
SpannerITWks
Premium
join:2005-04-22
| Re: Forecast - Massive Storms clouded by Rootkits That link goes to - hxxp://64.28.178.4/index.php - and is associated with -
hxxp://free-orgy-movies.com
( This domain name parked on Estparking.com. To buy this domain click here. )
I was on an exact replica of that www - hxxp://moviefresher.com - in the last 1/2 hour, as i found it linked to a Zlob www i was DL'ing from.
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks | |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB | Has anyone tried this bad boy in with a virtual system as we might have a no goer in a virtual environment.
Blake | |
|
|
|
|
·
,the combination of naive internet plus social engineering, does equal the slow destruction of the internet.
