Last updated on December 1st, 2010
“NOD32 has pulled out another nasty from an email that arrived today on one of my spam honeypot addresses. Unlike last time, this time the identical (to me) message contains a Worm instead of a Trojan as an attachment. NOD32 identifies it as an exe file inside a zip file called “a variant of Win32/Nuwar worm”. Whatever. The sender is still a crook bastard and deserves everything he’ll get for attempting to harm a Buddhist! Ha. Ha.
This is the text of the message below, shown after NOD32 has done it’s work. It follows the normal human engineering type rules of fear, uncertainty and doubt (FUD), but poorly executed in language and spelling skills as well as a lack of verifiable authority behind their message.Your internet access is going to get suspended
Your internet access is going to get suspended
The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.
We are aware of your illegal activities on the internet wich were originating from
You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.
ICS Monitoring Team
__________ ESET NOD32 Antivirus warning, version of virus signature database 3475 (20080926) __________
Warning, ESET NOD32 Antivirus found the following threats in the message:
user-EA49943X-activities.zip – probably a variant of Win32/Nuwar worm – deleted
user-EA49943X-activities.zip > ZIP > user-EA49943X-activities.exe – probably a variant of Win32/Nuwar worm – was a part of the deleted object
user-EA49943X-activities.zip > ZIP > user-EA49943X-activities.exe > UPX v12_m2 – probably a variant of Win32/Nuwar worm – was a part of the deleted object
This is the header with my info removed (obviously 😕 )
Received: from p4FD1D873.dip.t-dialin.net (p4FD1D873.dip.t-dialin.net [220.127.116.11])
by xxxxxxxxxxxxxxxxxxxxxxxxx (Postfix) with ESMTP id B86EFE000088
for <xxxxxxxxxxxxxxxxxxxxxxxxx>; Sat, 27 Sep 2008 10:26:47 +0100 (BST)
Date: Sat, 27 Sep 2008 07:39:20 +0000
From: “ICS Monitoring Team” <>
User-Agent: Thunderbird 18.104.22.168 (Windows/20080213)
dip.t-dialin.net is the dial-up part of t-Online (Deutsche Telkom) I think.
in.ml.com is a spoofed Merrill Lynch address which is kindov ironic given it’s profile in the last few weeks!
If anyone can tell me different I’d be pleased to know. I’m just starting to investigate how headers work….