Trojan Horse

“NOD32 has pulled out another nasty from an email that arrived today on one of my spam honeypot addresses.  Unlike last time, this time the identical (to me) message contains a Worm instead of a Trojan as an attachment.  NOD32 identifies it as an exe file inside a zip file called “a variant of Win32/Nuwar worm”.  Whatever.  The sender is still a crook bastard and deserves everything he’ll get for attempting to harm a Buddhist!  Ha. Ha.

This is the text of the message below, shown after NOD32 has done it’s work.  It follows the normal human engineering type rules of fear, uncertainty and doubt (FUD), but poorly executed in language and spelling skills as well as a lack of verifiable authority behind their message.Your internet access is going to get suspended

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely
ICS Monitoring Team
__________ ESET NOD32 Antivirus warning, version of virus signature database 3475 (20080926) __________

Warning, ESET NOD32 Antivirus found the following threats in the message:

user-EA49943X-activities.zip – probably a variant of Win32/Nuwar worm – deleted
user-EA49943X-activities.zip > ZIP > user-EA49943X-activities.exe – probably a variant of Win32/Nuwar worm – was a part of the deleted object
user-EA49943X-activities.zip > ZIP > user-EA49943X-activities.exe > UPX v12_m2 – probably a variant of Win32/Nuwar worm – was a part of the deleted object

http://www.eset.com

Twat bastards.

This is the header with my info removed (obviously :-? )

Return-Path: <email hidden; JavaScript is required>
X-Original-To: xxxxxxxxxxxxxxxxxxxxxxxxx
X-Envelope-To: xxxxxxxxxxxxxxxxxxxxxxxxx
Delivered-To: xxxxxxxxxxxxxxxxxxxxxxxxx
Received: from p4FD1D873.dip.t-dialin.net (p4FD1D873.dip.t-dialin.net [79.209.216.115])
by xxxxxxxxxxxxxxxxxxxxxxxxx (Postfix) with ESMTP id B86EFE000088
for <xxxxxxxxxxxxxxxxxxxxxxxxx>; Sat, 27 Sep 2008 10:26:47 +0100 (BST)
Message-ID: <67827.burton@chriss>
Date: Sat, 27 Sep 2008 07:39:20 +0000
From: “ICS Monitoring Team” <email hidden; JavaScript is required>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0

dip.t-dialin.net is the dial-up part of t-Online (Deutsche Telkom) I think.

in.ml.com is a spoofed Merrill Lynch address which is kindov ironic given it’s profile in the last few weeks!

If anyone can tell me different I’d be pleased to know.  I’m just starting to investigate how headers work….

Amazon Related:

LOGITECH Premium Stereo PC Headset Peripheral Headset and microphone COMPUTING

natural Cotton Messenger Bag by Hatti

• How to Use a Video Phone With DSL Internet and Routers Video Phones are increasing their presence in the market because high speed Internet connections are now common, and fast enough...
• Carbonite: The Importance of Data Backup Cannot Be Overstated Though it's especially true for businesses, data loss prevention affects 43% of PC users, and can be just as devastating....

Related Posts by Tags

• Your internet access is going to get suspended (says the Trojan) (1)
• Website Referral Spam and Cyber Security Malware (3)
• Combatting WordPress Trackback Comment Spam (9)