Trojan Horse
“NOD32 has pulled out another nasty from an email that arrived today on one of my spam honeypot addresses. Unlike last time, this time the identical (to me) message contains a Worm instead of a Trojan as an attachment. NOD32 identifies it as an exe file inside a zip file called “a variant of Win32/Nuwar worm”. Whatever. The sender is still a crook bastard and deserves everything he’ll get for attempting to harm a Buddhist! Ha. Ha.
This is the text of the message below, shown after NOD32 has done it’s work. It follows the normal human engineering type rules of fear, uncertainty and doubt (FUD), but poorly executed in language and spelling skills as well as a lack of verifiable authority behind their message.Your internet access is going to get suspended
Your internet access is going to get suspended
The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.We are aware of your illegal activities on the internet wich were originating from
You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.
Sincerely
ICS Monitoring Team
__________ ESET NOD32 Antivirus warning, version of virus signature database 3475 (20080926) __________Warning, ESET NOD32 Antivirus found the following threats in the message:
user-EA49943X-activities.zip – probably a variant of Win32/Nuwar worm – deleted
user-EA49943X-activities.zip > ZIP > user-EA49943X-activities.exe – probably a variant of Win32/Nuwar worm – was a part of the deleted object
user-EA49943X-activities.zip > ZIP > user-EA49943X-activities.exe > UPX v12_m2 – probably a variant of Win32/Nuwar worm – was a part of the deleted object
Twat bastards.
This is the header with my info removed (obviously :-? )
Return-Path: <email hidden; JavaScript is required>
X-Original-To: xxxxxxxxxxxxxxxxxxxxxxxxx
X-Envelope-To: xxxxxxxxxxxxxxxxxxxxxxxxx
Delivered-To: xxxxxxxxxxxxxxxxxxxxxxxxx
Received: from p4FD1D873.dip.t-dialin.net (p4FD1D873.dip.t-dialin.net [79.209.216.115])
by xxxxxxxxxxxxxxxxxxxxxxxxx (Postfix) with ESMTP id B86EFE000088
for <xxxxxxxxxxxxxxxxxxxxxxxxx>; Sat, 27 Sep 2008 10:26:47 +0100 (BST)
Message-ID: <67827.burton@chriss>
Date: Sat, 27 Sep 2008 07:39:20 +0000
From: “ICS Monitoring Team” <email hidden; JavaScript is required>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
dip.t-dialin.net is the dial-up part of t-Online (Deutsche Telkom) I think.
in.ml.com is a spoofed Merrill Lynch address which is kindov ironic given it’s profile in the last few weeks!
If anyone can tell me different I’d be pleased to know. I’m just starting to investigate how headers work….
Related posts:
- Your internet access is going to get suspended (says the Trojan) I had an “interesting” bit of crap email this morning. ...
- Combatting WordPress Trackback Comment Spam Two WordPress trackback spams lead our hero to investigate their...
- Google Security to Crawling Chaos and Morals Google Security Spotlight: July Virus Attacks My last few posts...
- Email Spam Trojans Hiding on Websites as MSNBC Breaking News Items For the past few weeks I suppose everyone has had...
- Even More on Baer Bank versus Common Decency/Law/Sense (WikiLeaks) More on the Julius Baer (un)Trust(worthy) goings on with WikiLeaks....
Related posts brought to you by Yet Another Related Posts Plugin.
