Any Infomation??? - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: Any Infomation???

  1. #11
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Quote Originally Posted by morganlefay
    So did you get headers of the email??

    I always like to know where these come from.

    MLF
    No I haven't been able to trap an original copy yet, the ones I'v got have been forwarded to me and the headers have been altered.

    Cheers:
    DjM

  2. #12
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Quote Originally Posted by SirDice
    Link is b0rked but it looks like a virus to me. The whole thing looks and smells like one anyway.
    I agree with you (and everyone else), I have already set-up a block for these emails and sent out an email to the company to tell them to delete the email if they got one.

    Thanks all.

    Cheers:
    DjM

  3. #13
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    For those of you that might want to play, I pulled this link from the source of the HTML email.

    http://firefox.myip.org/extra/window...e-KB863892.exe

    Go there at your own risk.

    Cheers:
    Last edited by DjM; June 26th, 2007 at 05:12 PM.
    DjM

  4. #14
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    The following was just posted on the SANS Internet Storm Center:

    Several of our readers reported an email that lead to a fake Microsoft patch being spammed on the net today. The email had their full names and in one case the company they worked for included in the body of the email. So far I have seen 4 different urls. We are working on getting the systems hosting the malware cleaned or shutdown. We have submitted the malware itself to most of the AV vendors so detection should improve but currently it is not detected. Thanks go out to PatrickC, TroyP, NathanM, BruceD and CalebC.
    You can see in the body of the email below that the spelling is bad and the license key is not in the right format for XP nor Outlook.

    One of the submitters “PatrickC” provided the following email for a fake Microsoft patch and malware site.
    “The following email I received is new to me. The URL points to
    hxxp://fake.microsoft.site./MSOUTRC2007Update-KB863892.exe
    Bye.”
    ==Sanitized email header==============
    X-Envelope-To: <patrick >
    <SNIP to protect Patrick >
    Date: Tue, 26 Jun 2007 14:51:39 +0200
    Precedence: bulk
    To: Patrick
    Subject: Microsoft Security Bulletin MS07-0065 - Critical Update
    From: "Microsoft Corp." <update@microsoft.com>
    Content-Type: text/html; charset=iso-8859-1
    Message-Id: <E1I3AWB-00010F-00@s137553944.websitehome.co.uk>
    X-Antivirus: avast! (VPS 000752-0, 2007-06-25), Inbound message
    X-Antivirus-Status: Clean
    Microsoft.com Home |
    | Windows Family | Windows Marketplace | Office Family | Microsoft Update
    Dear Patrick
    You are receiving this message because you are using Genuine Microsoft Software and your e-mail address has been subscribed to the Microsoft Windows Update mailing list.
    A new 0-day vulnerability has appeared in the wild and was reported for the first time Monday, June 18th. The vulnerability affects machines running MICROSOFT OUTLOOK and allows an attacker to take full control of the vulnerable computer if the exploitation process is succesfull.
    Since then, more than 100,000 machines have been reported as exploited and used to promote spammy pharmacy products such as viagra and cialis.
    An update has been released to fix this issue and can be downloaded from the following link :
    http://windowsupdate.microsoft.com/outlook/upd ate-0-day/download.aspx?id=63852
    Quick Details
    File Name: MSOUTRC2007Update-KB863892.exe
    Version: 3.1.1023
    Date Published: 06/25/2007
    Download Size: 20 Kb
    Estimated Download Time: 1 sec
    It's urgent to download and install the update as soon as possible in order to decrease the number of succesfull attacks that occure each day. The update is only available for Genuine Versions of Microsoft Outllok.
    Instructions :
    1. Click the link above to start the download
    2. Save the update in your WINDOWS directory and run it from there.If you want to start the installation immediately click Run in the download box, after you click the link.
    3. After you run it, the update will download the security packages required to patch Microsoft Outlook.The entire process will take around 10-15 minutes, and you'll receive a confirmation message once the update process is completed.

    Your Microsoft Windows Licence Information is :
    REG ISTERED TO : Patrick
    Licence KEY : XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
    Thank you
    Microsoft Corp.
    =====================================
    From Norman Sandbox:
    MSOUTRC2007Update-KB863892.exe : INFECTED with W32/Malware (Signature: NO_VIRUS)
    [ DetectionInfo ]
    * Sandbox name: W32/Malware
    * Signature name: NO_VIRUS
    [ General information ]
    * Drops files in %WINSYS% folder.
    * File length: 20480 bytes.
    * MD5 hash: c7a8bde380043b5d8d7229e82db1c2fc.
    [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM32\sdoctor.exe.
    * Creates file C:\france.html.
    * Deletes file c:\france.html.
    [ Changes to registry ]
    * Creates value "SpywareDoctor"="C:\WINDOWS\SYSTEM32\sdoctor.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    [ Process/window information ]
    * Will automatically restart after boot (I'll be back...).
    * Attemps to NULL C:\COMMAND.COM /c del c:\sample.exe >> NUL.
    * Modifies other process memory.
    * Creates a remote thread.
    [ Signature Scanning ]
    * C:\WINDOWS\SYSTEM32\sdoctor.exe (20480 bytes) : no signature detection.
    We notified one of the support teams at a hosting provider that a virus was found on one of there customers systems.
    Their auto responder responded within a minute.
    A support person removed the malware and responded within 30 minutes.
    When I tried to verify that I found the malware was still there or back.
    When I notified the hosting provider that the malware was back the support person analysised logs, determined it was being uploaded via ftp and immediately disabled the ftp account involved.
    Cheers:
    DjM

  5. #15
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Yep. It's popping up everywhere. You were the lucky first batch

    http://www.sophos.com/security/blog/2007/06/272.html
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #16
    Junior Member
    Join Date
    Jun 2007
    Location
    Surrey, BC, Canada
    Posts
    1
    I received 2 copies of this email yesterday, and downloaded the MSOUTRC2007Update-KB863892.exe from http://cronos.dsmodena.it/************/.
    A NIS scan showed the file to be safe. Upon installation it created the following files and added them to HKCU\..\Run:
    C:\WINDOWS\config.exe
    C:\WINDOWS\MSHelp.exe
    C:\WINDOWS\helpme.exe
    Also created and set to run as a service:
    C:\WINDOWS\AntiSpyware.exe
    C:\WINDOWS\spywaredoctor.dll
    It also added AntiSpyware.exe entries to HKLM\SYSTEM\ControlSet003\Services\
    Manually deleted all files and registry entries.

    This information is provided for those who unknowingly got caught with this as an aid to clean their system.

Similar Threads

  1. Protect my private infomation form administrator
    By odigohi in forum Web Security
    Replies: 24
    Last Post: July 19th, 2007, 09:06 PM
  2. need help stopping a pedophile!!!
    By th3>kLuTz in forum AntiOnline's General Chit Chat
    Replies: 20
    Last Post: July 14th, 2002, 07:01 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •