Important Email Virus Information | MassCops

Important Email Virus Information

Discussion in 'MassCops News' started by Gil, Jul 7, 2005.

  1. Gil

    Gil Founder of MassCops Staff Member

    MassCops Members and MassCops WebMail Users

    Important Email Virus Information

    Some of you have been receiving email addressed from the masscops.com domain with an attachment. DO NOT OPEN THESE ATTACHMENTS.

    This is a result of the [email protected] email worm.

    [email protected] is a mass-mailing worm that has back door capabilities and uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer.

    The worm uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

    From:
    (Spoofed) It could be an email address that the worm finds on the compromised machine.
    It also could be one of the following:


    adam
    alex
    andrew
    anna
    bill
    bob
    brenda
    brent
    brian
    claudia
    dan
    dave
    david
    debby
    frank
    fred
    george
    helen
    jack
    james
    jane
    jerry
    jim
    jimmy
    joe
    john
    jose
    josh
    julie
    kevin
    leo
    linda
    maria
    mary
    matt
    michael
    mike
    paul
    peter
    ray
    robert
    sales
    sam
    serg
    smith
    stan
    steve
    ted
    tom

    Or one of the following with the same email domain as the recipient:


    admin
    administrator
    info
    mail
    register
    sandra
    service
    support
    webmaster

    Subject:
    One of the following:


    Your password has been updated
    Your password has been successfully updated
    You have successfully updated your password
    Your new account password is approved
    [RANDOM]

    Message:

    Dear user [USER NAME],
    You have successfully updated the password of your [DOMAIN] account.If you did not authorize this change or if you need assistance with your
    account, please contact [DOMAIN] customer service at: [SPOOFED EMAIL]
    Thank you for using [DOMAIN]!
    The [DOMAIN] Support Team
    +++ Attachment: No Virus (Clean)
    +++ [DOMAIN] Antivirus - www.[FULL DOMAIN]

    Attachment:
    One of the following:


    updated-password
    email-password
    new-password
    password
    approved-password
    account-password
    accepted-password
    [RANDOM]

    with one of the following extensions:


    .bat
    .cmd
    .exe
    .pif
    .scr
    .zip

    When it sends a .zip as attachment, the zipped copy has .doc, .htm, or .txt as the first extension, and .exe, .pif, or .scr as the second extension. The first extension may also have many spaces.

    The email may also be in the following format:

    From:
    Spoofed in the same way as above mentioned.

    Subject:
    One of the following:


    Your Account is Suspended'
    *DETECTED* Online User Violation
    Your Account is Suspended For Security Reasons
    Warning Message: Your services near to be closed.
    Important Notification
    Members Support
    Security measures
    Email Account Suspension
    Notice of account limitation
    [RANDOM]

    Message:
    One of the following:


    Dear user [USER NAME],
    It has come to our attention that your [DOMAIN] User Profile ( x ) records are out of date. For further details see the attached document.
    Thank you for using [DOMAIN]!
    The [DOMAIN] Support Team
    +++ Attachment: No Virus (Clean)
    +++ [DOMAIN] Antivirus - www.[FULL DOMAIN]
    Dear [DOMAIN] Member,
    We have temporarily suspended your email account .
    This might be due to either of the following reasons:
    1. A recent change in your personal information (i.e. change of address).
    2. Submiting invalid information during the initial sign up process.
    3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
    See the details to reactivate your [DOMAIN] account.
    Sincerely,The [DOMAIN] Support Team
    +++ Attachment: No Virus (Clean)
    +++ [DOMAIN] Antivirus - [url]www.[FULL[/url] DOMAIN]
    Dear [DOMAIN] Member,
    Your e-mail account was used to send a huge amount of unsolicited spam messages
    during the recent week. If you could please take 5-10 minutes
    out of your online experience and confirm the attached document so you
    will not run into any future problems with the online service.
    If you choose to ignore our request, you leave us no choice but to cancel your membership.
    Virtually yours,
    The [DOMAIN] Support Team
    +++ Attachment: No Virus found
    +++ [DOMAIN] Antivirus - [url]www.[FULL[/url] DOMAIN]

    Note: [DOMAIN] is the domain part of the recipient's email address, [USER NAME] is the username part of the recipient's email address, [SPOOFED EMAIL] is a spoofed email address on the same domain, and [EMAIL] is the recipient's email address.

    Attachment:
    One of the following:


    important-details
    account-details
    email-details
    account-info
    document
    readme
    account-report
    [RANDOM]

    with one of the following extensions:


    .bat
    .cmd
    .exe
    .pif
    .scr
    .zip

    When it sends a .zip as attachment, the zipped copy has .doc, .htm, or .txt as the first extension and .exe, .pif, or .scr as the second extension. The first extension may also have many spaces.

    More Information on this worm can be located here:
    [url]http://securityresponse.symantec.com/avcenter/venc/data/[email protected][/url]
     

Share This Page