[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Virus forgery via email attachment
A reminder to never open email attachments that you are not expecting
without first checking it against the latest update of anti-virus software.
This latest forges itself to appear to be from official-sounding (but other
than 'support', non-existent) eskimo.com addresses.
We do not send unexpected attachments, nor do we sign support emails as
"the Eskimo.com team" (a possible link that this is evolved from a similar
attachment email flood from last year).
~ Eric
Some specifics from Symantec/Norton:
http://www.symantec.com/avcenter/venc/data/w32.mytob.eh@mm.html
-----
W32.Mytob.EH@mm [and other similarly named strains] is a mass-mailing worm
that opens an IRC back door and lowers security settings on the compromised
computer.
The email has the following characteristics:
From:
One of the following:
adam, alex, andrew, anna, bill, bob, brenda, brent, brian, claudia,
dan, dave, david, debby, frank, fred, george, helen, jack, james, jane,
jerry, jim, jimmy, joe, john, jose, josh, julie, kevin, leo, linda,
maria, mary, matt, michael, mike, paul, peter, ray, robert, sales, sam,
sandra, serg, smith, stan, steve, ted, tom
Or one of the following with the same email domain as the recipient:
admin, administrator, info, mail, register, service, support, webmaster
Note: The worm may also spoof a From address from one of the
addresses found on the compromised computer.
Subject:
One of the following:
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
[random characters]
Message:
One of the following:
Dear user [username],
You have successfully updated the password of your [domain] account.
If you did not authorize this change or if you need assistance with
your account, please contact [domain] customer service at:
[full domain]
Thank you for using [domain]!
The [domain] Support Team
Dear user [username],
It has come to our attention that your [domain] User Profile ( x )
records are out of date. For further details see the attached document.
Thank you for using [domain]!
The [domain] Support Team
+++ Attachment: No Virus (Clean)
+++ [domain] Antivirus - www.[full domain]
Dear [domain] Member,
We have temporarily suspended your email account [username].
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your [domain] account.
Sincerely,The [domain] Support Team
+++ Attachment: No Virus (Clean)
+++ [domain] Antivirus - www.[full domain]
Dear [domain] Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10 minutes
out of your online experience and confirm the attached document so you will
not run into any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The [domain] Support Team
+++ Attachment: No Virus found
+++ [domain] Antivirus - www.[full domain]
Note: [username] is the user part of the target e-mail address and [domain]
is the domain part of the target email address.
Note: The worm may also send a zip copy of itself. The zipped file will
have .doc, .htm, or .txt as the first extension name and .exe, .pif, or
.scr as the second extension name.
-----
