Eskimo North


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Virus forgery via email attachment





A reminder to never open email attachments that you are not expecting
without first checking it against the latest update of anti-virus software.
This latest forges itself to appear to be from official-sounding (but other
than 'support', non-existent) eskimo.com addresses.

We do not send unexpected attachments, nor do we sign support emails as
"the Eskimo.com team" (a possible link that this is evolved from a similar
attachment email flood from last year).

~ Eric


Some specifics from Symantec/Norton:
http://www.symantec.com/avcenter/venc/data/w32.mytob.eh@mm.html
-----
W32.Mytob.EH@mm [and other similarly named strains] is a mass-mailing worm
that opens an IRC back door and lowers security settings on the compromised
computer.

The email has the following characteristics:

From:
    One of the following:

    adam, alex, andrew, anna, bill, bob, brenda, brent, brian, claudia,
    dan, dave, david, debby, frank, fred, george, helen, jack, james, jane,
    jerry, jim, jimmy, joe, john, jose, josh, julie, kevin, leo, linda,
    maria, mary, matt, michael, mike, paul, peter, ray, robert, sales, sam,
    sandra, serg, smith, stan, steve, ted, tom

    Or one of the following with the same email domain as the recipient:

    admin, administrator, info, mail, register, service, support, webmaster

    Note: The worm may also spoof a From address from one of the
    addresses found on the compromised computer.

Subject:
    One of the following:

    Your Account is Suspended
    *DETECTED* Online User Violation
    Your Account is Suspended For Security Reasons
    Warning Message: Your services near to be closed.
    Important Notification
    Members Support
    Security measures
    Email Account Suspension
    Notice of account limitation
    [random characters]

Message:
    One of the following:

    Dear user [username],
    You have successfully updated the password of your [domain] account.
    If you did not authorize this change or if you need assistance with
    your account, please contact [domain] customer service at:
    [full domain]
    Thank you for using [domain]!
    The [domain] Support Team

    Dear user [username],
    It has come to our attention that your [domain] User Profile ( x )
    records are out of date. For further details see the attached document.
    Thank you for using [domain]!
    The [domain] Support Team
    +++ Attachment: No Virus (Clean)
    +++ [domain] Antivirus - www.[full domain]

    Dear [domain] Member,
    We have temporarily suspended your email account [username].
    This might be due to either of the following reasons:
    1. A recent change in your personal information (i.e. change of address).
    2. Submiting invalid information during the initial sign up process.
    3. An innability to accurately verify your selected option of
    subscription due to an internal error within our processors.
    See the details to reactivate your [domain] account.
    Sincerely,The [domain] Support Team
    +++ Attachment: No Virus (Clean)
    +++ [domain] Antivirus - www.[full domain]

    Dear [domain] Member,
    Your e-mail account was used to send a huge amount of unsolicited
    spam messages during the recent week. If you could please take 5-10 minutes
    out of your online experience and confirm the attached document so you will
    not run into any future problems with the online service.
    If you choose to ignore our request, you leave us no choice but to
    cancel your membership.
    Virtually yours,
    The [domain] Support Team
    +++ Attachment: No Virus found
    +++ [domain] Antivirus - www.[full domain]

Note: [username] is the user part of the target e-mail address and [domain]
is the domain part of the target email address.

Note: The worm may also send a zip copy of itself. The zipped file will
have .doc, .htm, or .txt as the first extension name and .exe, .pif, or
.scr as the second extension name.
-----