Your internet access is going to get suspended (says the Worm, this time!)

Trojan Horse
Trojan Horse

“NOD32 has pulled out another nasty from an email that arrived today on one of my spam honeypot addresses.  Unlike last time, this time the identical (to me) message contains a Worm instead of a Trojan as an attachment.  NOD32 identifies it as an exe file inside a zip file called “a variant of Win32/Nuwar worm”.  Whatever.  The sender is still a crook bastard and deserves everything he’ll get for attempting to harm a Buddhist!  Ha. Ha.

This is the text of the message below, shown after NOD32 has done it’s work.  It follows the normal human engineering type rules of fear, uncertainty and doubt (FUD), but poorly executed in language and spelling skills as well as a lack of verifiable authority behind their message.Your internet access is going to get suspended

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

ICS Monitoring Team
__________ ESET NOD32 Antivirus warning, version of virus signature database 3475 (20080926) __________

Warning, ESET NOD32 Antivirus found the following threats in the message: – probably a variant of Win32/Nuwar worm – deleted > ZIP > user-EA49943X-activities.exe – probably a variant of Win32/Nuwar worm – was a part of the deleted object > ZIP > user-EA49943X-activities.exe > UPX v12_m2 – probably a variant of Win32/Nuwar worm – was a part of the deleted object

Twat bastards.

This is the header with my info removed (obviously 😕 )

Return-Path: <>
X-Original-To: xxxxxxxxxxxxxxxxxxxxxxxxx
X-Envelope-To: xxxxxxxxxxxxxxxxxxxxxxxxx
Delivered-To: xxxxxxxxxxxxxxxxxxxxxxxxx
Received: from ( [])
by xxxxxxxxxxxxxxxxxxxxxxxxx (Postfix) with ESMTP id B86EFE000088
for <xxxxxxxxxxxxxxxxxxxxxxxxx>; Sat, 27 Sep 2008 10:26:47 +0100 (BST)
Message-ID: <67827.burton@chriss>
Date: Sat, 27 Sep 2008 07:39:20 +0000
From: “ICS Monitoring Team” <>
User-Agent: Thunderbird (Windows/20080213)
MIME-Version: 1.0 is the dial-up part of t-Online (Deutsche Telkom) I think. is a spoofed Merrill Lynch address which is kindov ironic given it’s profile in the last few weeks!

If anyone can tell me different I’d be pleased to know.  I’m just starting to investigate how headers work….

By Strangely

Founding member of the gifted & talented band, "The Crawling Chaos" from the North-East of England.