FYI...
Bogus email claims to come from FTC
- http://www.ftc.gov/opa/2007/10/bogus.shtm
October 29, 2007 - "A bogus email is circulating that says it is from the Federal Trade Commission, referencing a “complaint” filed with the FTC against the email’s recipient. The email includes links and an attachment that download a virus. As with any suspicious email, the FTC warns recipients not to click on links within the email and not to open any attachments. The spoof email includes a phony sender’s address, making it appear the email is from “frauddep@ftc.gov” and also spoofs the return-path and reply-to fields to hide the email’s true origin. While the email includes the FTC seal, it has grammatical errors, misspellings, and incorrect syntax. Recipients should forward the email to spam@uce.gov and then delete it. Emails sent to that address are kept in the FTC’s spam database to assist with investigations. Simply opening the email does not appear to cause harm. However, it is likely that anyone who has opened the email’s attachment or clicked on the links has downloaded the virus on their computer, and should run an anti-virus program. The virus appears to install a “key logger” that could potentially grab passwords and account numbers..."
=======================
Malicious Code: World Bank Deception: Trojan Horse
- http://www.websense.com/securitylabs...hp?AlertID=812
October 29, 2007 - "Websense® Security Labs™ has discovered a new Trojan horse using real data from the World Bank. As in past targeted attacks, the samples that we have captured appear to be using names and email addresses taken from the contact pages of the legitimate site. In this case, the email body includes the name of a real World Bank employee.
The message reads:
Subject: WorldBank report
Dear Colleagues,
This three-year Country Partnership Strategy (CPS) builds on Bulgaria's considerable achievements over the last eight years .. *snipped for brevity* .. and the surveillance roles played by the International Monetary Fund (IMF) and the EU's Stability and Growth Pact upon Bulgaria's EU accession.
At the following link you'll find our report:
http : // <URL REMOVED> /
Thank you!
Best Regards,
Ivelina Taushanova
Associate Professor of Management Science
<USERNAME REMOVED> @ worldbank . org
http: // WorldBank . org
The link leads to the malicious executable WorldBank_doc_36146.txt.exe, which is displayed with the standard notepad.exe icon. Unless the user has configured Windows to explicitly show the file extension (which most people do not, since it requires changing the default configuration), there is no way to visually tell that this file is actually an executable. When run, the initial executable drops a plain text document with information from a real World Bank document, displayed in IE. Also dropped is a packed Trojan horse (bifrose) whose file name makes it appear to be an MSN Messenger plugin. When this article was created, no anti-virus vendors detected the initial executable as malicious. The initial executable downloaded by the victim does not actually make any outbound connection from the victim's desktop to obtain the two dropped files. Because both dropped files are derived from the initial executable, no suspicious network traffic is generated. The dropped Trojan horse (msnmsgr_plugin.exe) maintains a persistent connection to a host name on the dyndns.org domain..."
(Screenshot available at the URL above.)
=======================================
Malicious Code: Halloween Deception: Info Stealing Trojan
- http://www.websense.com/securitylabs...hp?AlertID=813
October 29, 2007 - "Websense® Security Labs™ has discovered a new Trojan Horse information stealer that is being emailed out as a Halloween Greeting Card in Mexico. To date we have seen four unique sites being spammed out all with the same binary file. They were in Korea, Brazil, and Russia, and were all up and running at the time of this alert. The file is called "hallowenDay.exe" and has an MD5 of (65cd5a35bc70075f86cb6404f54d67b8). It is also poorly detected by anti-virus signatures. Assuming users access the site and select to run the file a Trojan Horse is downloaded onto their machine which is designed to steal banking information from users, the file appears to also be packed with a unique custom packer. We expect to see additional email lures and malicious websites on our radar with Halloween night quickly approaching. The email is written in HTML and has a variety of subject lines..."
(Screenshot available at the URL above.)