V
Virus Guy
Within the past few hours I got an e-mail that came from
210.214.168.103 (dialpool-210-214-168-103.maa.sify.net) which is
Satyam Infoway Pvt.Ltd. a "Value Added Network service provider in
India".
Here is the body of the e-mail:
-------------------
Subject: Your new account password is approved
Dear user (valid account name within my-domain),
You have successfully updated the password of your (my-domain)
account.
Please view the attached file for more information.
If you did not authorize this change or if you need assistance with
your account, please contact (my-domain) customer service at:
support@(my-domain).com
Thank you for using (my-domain)!
The (My-domain) Support Team
Attachment: Scan Complete (0 Virus Found)
+++ (my-domain) Antivirus - www.(my-domain).com
updated-password.zip
Name: updated-password.zip
Type: Zip Compressed Data (application/x-zip-compressed)
Encoding: base64
-----------------------
Inside the zip attachment is a single file called
"updated-password.txt.exe". I have edited the file name. In the
original name, there are about 20 spaces (or more) between ".txt" and
".exe".
Clearly they are using pretty strong social engineering tactics to get
the recipient to open the mail (and their string-parser didn't **** up
on them too).
Some AV software is calling it Mytob.??, where ?? is FB or QO or bi or
HE. It's also being called MyDoom.58 by clam. Here are the results:
This is a report processed by VirusTotal on 07/10/2005 at 03:37:07
(CET) after scanning the file "updated-password.txt.exe" file.
Antivirus Version Update Result
AntiVir 6.31.0.9 07.09.2005 no virus found
AVG 718 07.08.2005 I-Worm/Mytob.QO
Avira 6.31.0.9 07.09.2005 no virus found
BitDefender 7.0 07.09.2005 Win32.Worm.Mytob.FB
ClamAV devel-20050501 07.08.2005 Worm.Mytob.GH
DrWeb 4.32b 07.08.2005 Win32.HLLM.MyDoom.58
eTrust-Iris 7.1.194.0 07.08.2005 no virus found
eTrust-Vet 11.9.1.0 07.08.2005 no virus found
Fortinet 2.36.0.0 07.09.2005 suspicious
Ikarus 2.32 07.08.2005 no virus found
Kaspersky 4.0.2.24 07.10.2005 Net-Worm.Win32.Mytob.bi
McAfee 4531 07.08.2005 no virus found
NOD32v2 1.1164 07.08.2005 Win32/Mytob.HE
Norman 5.70.10 07.07.2005 W32/Suspicious_M.gen
Panda 8.02.00 07.09.2005 no virus found
Sybari 7.5.1314 07.10.2005 Net-Worm.Win32.Mytob.bi
Symantec 8.0 07.09.2005 no virus found
TheHacker 5.8.2.069 07.10.2005 no virus found
VBA32 3.10.4 07.09.2005 Net-Worm.Win32.Mytob.bi
I've verified that Norton (my version of NAV 2002) is not detecting a
threat from this file. The corporate version of NAV running on our
mail server also didn't see this as a threat.
Using a text editor, I can see the following readable text fragments:
Winsock, kernel32.dll LoadLibraryA GetProcAddress
(that's about it).
The file is 40,147 bytes, and has today's date (5:02:36 pm).
210.214.168.103 (dialpool-210-214-168-103.maa.sify.net) which is
Satyam Infoway Pvt.Ltd. a "Value Added Network service provider in
India".
Here is the body of the e-mail:
-------------------
Subject: Your new account password is approved
Dear user (valid account name within my-domain),
You have successfully updated the password of your (my-domain)
account.
Please view the attached file for more information.
If you did not authorize this change or if you need assistance with
your account, please contact (my-domain) customer service at:
support@(my-domain).com
Thank you for using (my-domain)!
The (My-domain) Support Team
Attachment: Scan Complete (0 Virus Found)
+++ (my-domain) Antivirus - www.(my-domain).com
updated-password.zip
Name: updated-password.zip
Type: Zip Compressed Data (application/x-zip-compressed)
Encoding: base64
-----------------------
Inside the zip attachment is a single file called
"updated-password.txt.exe". I have edited the file name. In the
original name, there are about 20 spaces (or more) between ".txt" and
".exe".
Clearly they are using pretty strong social engineering tactics to get
the recipient to open the mail (and their string-parser didn't **** up
on them too).
Some AV software is calling it Mytob.??, where ?? is FB or QO or bi or
HE. It's also being called MyDoom.58 by clam. Here are the results:
This is a report processed by VirusTotal on 07/10/2005 at 03:37:07
(CET) after scanning the file "updated-password.txt.exe" file.
Antivirus Version Update Result
AntiVir 6.31.0.9 07.09.2005 no virus found
AVG 718 07.08.2005 I-Worm/Mytob.QO
Avira 6.31.0.9 07.09.2005 no virus found
BitDefender 7.0 07.09.2005 Win32.Worm.Mytob.FB
ClamAV devel-20050501 07.08.2005 Worm.Mytob.GH
DrWeb 4.32b 07.08.2005 Win32.HLLM.MyDoom.58
eTrust-Iris 7.1.194.0 07.08.2005 no virus found
eTrust-Vet 11.9.1.0 07.08.2005 no virus found
Fortinet 2.36.0.0 07.09.2005 suspicious
Ikarus 2.32 07.08.2005 no virus found
Kaspersky 4.0.2.24 07.10.2005 Net-Worm.Win32.Mytob.bi
McAfee 4531 07.08.2005 no virus found
NOD32v2 1.1164 07.08.2005 Win32/Mytob.HE
Norman 5.70.10 07.07.2005 W32/Suspicious_M.gen
Panda 8.02.00 07.09.2005 no virus found
Sybari 7.5.1314 07.10.2005 Net-Worm.Win32.Mytob.bi
Symantec 8.0 07.09.2005 no virus found
TheHacker 5.8.2.069 07.10.2005 no virus found
VBA32 3.10.4 07.09.2005 Net-Worm.Win32.Mytob.bi
I've verified that Norton (my version of NAV 2002) is not detecting a
threat from this file. The corporate version of NAV running on our
mail server also didn't see this as a threat.
Using a text editor, I can see the following readable text fragments:
Winsock, kernel32.dll LoadLibraryA GetProcAddress
(that's about it).
The file is 40,147 bytes, and has today's date (5:02:36 pm).