Massachusetts Cop Forum banner
1 - 1 of 1 Posts

·
Premium Member
Joined
·
6,401 Posts
Discussion Starter · #1 ·
MassCops Members and MassCops WebMail Users

Important Email Virus Information

Some of you have been receiving email addressed from the masscops.com domain with an attachment. DO NOT OPEN THESE ATTACHMENTS.

This is a result of the [email protected] email worm.

[email protected] is a mass-mailing worm that has back door capabilities and uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer.

The worm uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

From:
(Spoofed) It could be an email address that the worm finds on the compromised machine.
It also could be one of the following:

adam
alex
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
frank
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
josh
julie
kevin
leo
linda
maria
mary
matt
michael
mike
paul
peter
ray
robert
sales
sam
serg
smith
stan
steve
ted
tom

Or one of the following with the same email domain as the recipient:

admin
administrator
info
mail
register
sandra
service
support
webmaster

Subject:
One of the following:

Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
[RANDOM]

Message:

Dear user [USER NAME],
You have successfully updated the password of your [DOMAIN] account.If you did not authorize this change or if you need assistance with your
account, please contact [DOMAIN] customer service at: [SPOOFED EMAIL]
Thank you for using [DOMAIN]!
The [DOMAIN] Support Team
+++ Attachment: No Virus (Clean)
+++ [DOMAIN] Antivirus - www.[FULL DOMAIN]

Attachment:
One of the following:

updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
[RANDOM]

with one of the following extensions:

.bat
.cmd
.exe
.pif
.scr
.zip

When it sends a .zip as attachment, the zipped copy has .doc, .htm, or .txt as the first extension, and .exe, .pif, or .scr as the second extension. The first extension may also have many spaces.

The email may also be in the following format:

From:
Spoofed in the same way as above mentioned.

Subject:
One of the following:

Your Account is Suspended'
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
[RANDOM]

Message:
One of the following:

Dear user [USER NAME],
It has come to our attention that your [DOMAIN] User Profile ( x ) records are out of date. For further details see the attached document.
Thank you for using [DOMAIN]!
The [DOMAIN] Support Team
+++ Attachment: No Virus (Clean)
+++ [DOMAIN] Antivirus - www.[FULL DOMAIN]
Dear [DOMAIN] Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the details to reactivate your [DOMAIN] account.
Sincerely,The [DOMAIN] Support Team
+++ Attachment: No Virus (Clean)
+++ [DOMAIN] Antivirus - [URL]www.[FULL[/URL] DOMAIN]
Dear [DOMAIN] Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages
during the recent week. If you could please take 5-10 minutes
out of your online experience and confirm the attached document so you
will not run into any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your membership.
Virtually yours,
The [DOMAIN] Support Team
+++ Attachment: No Virus found
+++ [DOMAIN] Antivirus - [URL]www.[FULL[/URL] DOMAIN]

Note: [DOMAIN] is the domain part of the recipient's email address, [USER NAME] is the username part of the recipient's email address, [SPOOFED EMAIL] is a spoofed email address on the same domain, and [EMAIL] is the recipient's email address.

Attachment:
One of the following:

important-details
account-details
email-details
account-info
document
readme
account-report
[RANDOM]

with one of the following extensions:

.bat
.cmd
.exe
.pif
.scr
.zip

When it sends a .zip as attachment, the zipped copy has .doc, .htm, or .txt as the first extension and .exe, .pif, or .scr as the second extension. The first extension may also have many spaces.

More Information on this worm can be located here:
[URL]http://securityresponse.symantec.com/avcenter/venc/data/[email protected][/URL]
 
1 - 1 of 1 Posts
Top