Tuesday, December 05, 2006

Another email trojan sent as attachment.

A new variation of an old theme, the trojan name has changed, the file attachment name has changed, but the delivery is the same old played out method of sending a virus or trojan, as an email attachment - how boring.

The people who create some of the viruses I think a very creative in getting there junk software out to the masses. As much as I don't like what they do and how they do it, in fact I consider it a form of torture for regular computer users, they are very good at it.

The newest version, really just another variation of the same old method of spreading their bad software, was today. A desktop user reported to me that they received an email that looked legitimate but because most of my users have been well trained to expect the unexpected when it comes to email scams, questioned the legitimacy of the email and notified me of it.

The subject contained the following:

Re: Mail server report

Which in appearance looks like most real messages sent from email servers. Very bland with no distinguishable characteristics to let the user know that it's really from their own server.

Then the body:

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer un-noticed. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

Attachment: Update-KB2703-x86

The attachment even looks like a Microsoft file name - similar but not real. To more experienced people most network administrators they would look at this and see that is was bogus as I did. But to an ordinary user or a less experienced admin, this attachment may very well be clicked on.

About the body, well if you heard enough language accents you would realize that this was written by someone with and accent. The most obvious clue that this isn't legitimate is that real updates don;t some through email and I don't know of anyone who would email another person a software update when they know they can be retrieved online very easily from Microsoft's update service.

It does look good though and even if many scanners would catch the virus as the file was unzipped and run, there are those that have outdated software and would get infected. Just as this email was sent from an infected computer. Then the chain continues on.

A simple rule is, don't open zip files from people you don't know...period. My users are aware of this that they don't open a thing and I have less trouble with outbreaks because of this basic training.

1 comment:

PC Tech Support said...

A real pain to get rid of is the trojan qbot trojan worm. one of the most useful ways to get rid of the QBOT trojan is to create a group policy to not allow some of the known and key exe files to execute. These are files thatare located in the windows system32 folder. Although some of them have randomly generated names the begining of many start with the _ (underscore character) and then qbot. The rest of the exe files is often randomely generated. So with the use of wild card characters in the group policy restriction, even these files can be prevented from running.