Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 03-24-2011, 03:27 AM
bytebuster bytebuster is offline
 
Join Date: Oct 2009
Location: Sacramento, CA
Posts: 401
bytebuster is on a distinguished road
Default UPS virus emails getting through spam filters

For the first time, one of the "UPS" virus bearing emails got through Comcast's spam filter to my email box. It says, "Dear customer, Your package was sent your home address. And it will arrive in 7 business day." It was pretty crude, it didn't even have a fake UPS logo. The file attached was a ".rar" file, what is that, some kind of scripting? I just trashed it. If you get a whole bunch of these viruses all of a sudden (and I have no idea what this is, nor do I care to find out) know that virus bearing emails are getting through Comcast spam filters, if your customers have Comcast. Comcast's spam filters are getting increasingly inadequate, I keep getting strange emails with links to outside websites.
__________________
ByteBuster Mobile iPhone Repair of Sacramento
Specializing in 4 Series iPhones
(916) 708-0609 9am-5pm 7 days a week
http://www.bytebustermcr.com/
Reply With Quote
  #2  
Old 03-24-2011, 04:46 AM
ATTech ATTech is offline
 
Join Date: Jan 2010
Location: Sacramento Area, CA
Posts: 1,784
ATTech is on a distinguished road
Default

Quote:
Originally Posted by bytebuster View Post
The file attached was a ".rar" file, what is that, some kind of scripting?
You've really never encountered a .rar file?
Reply With Quote
  #3  
Old 03-24-2011, 08:04 AM
Painless's Avatar
Painless Painless is offline
 
Join Date: Jan 2011
Location: East Scotland
Posts: 163
Painless is an unknown quantity at this point
Default

I've played with one of these email attachments. When you unzipped the file you reach what looks like a pdf. If you turn on 'show file extensions ' you will see an 'exe' file which disappears when you click on it. Shortly after that you will be the victim of the 'System Tools 2010' scareware.

When I unzipped the rar file Avast blocked the process - that was before I tried to run the 'pdf'. I like Avast.

Us a VM or quarantined machine.
__________________
John
Reply With Quote
  #4  
Old 03-24-2011, 02:30 PM
Steve202's Avatar
Steve202 Steve202 is offline
 
Join Date: Sep 2010
Location: Staffordshire, UK
Posts: 896
Steve202 is on a distinguished road
Default

I'm having tons of these atm and its starting to get annoying.

I might grab one of the emails and let it infect a vm just to see what it does.
__________________
Steve
"Hello, have you tried turning it off and on again"
Reply With Quote
  #5  
Old 03-24-2011, 06:03 PM
Ccomp5950's Avatar
Ccomp5950 Ccomp5950 is offline
 
Join Date: Sep 2010
Location: Marshall, Texas
Posts: 892
Ccomp5950 will become famous soon enough
Default

Have a customer that is the director of advertising for a local radio station bring a printed copy of the email in today. He didn't open it at work but when he got home curiosity got the better of him.
__________________
Marshall Texas Computer repair
Reply With Quote
  #6  
Old 03-24-2011, 10:40 PM
sys-eng sys-eng is offline
 
Join Date: Mar 2009
Location: North Carolina
Posts: 629
sys-eng is an unknown quantity at this point
Default

Quote:
Originally Posted by Painless View Post
When I unzipped the rar file Avast blocked the process - that was before I tried to run the 'pdf'. I like Avast.

Us a VM or quarantined machine.

That is good to hear that Avast catches it eventually. I did not have time to test it like that. I received the message too through AT&T/Yahoo account. Scanned attachment with both Avast and Malwarebytes but was not detected. Submitted to VirusTotal where it was pegged by 22 of 42 security programs. Avast was NOT one of them. I went to Avast website to submit it but they have no option for that. You can submitted a false positive but not a false negative.
Reply With Quote
  #7  
Old 03-28-2011, 06:21 AM
Painless's Avatar
Painless Painless is offline
 
Join Date: Jan 2011
Location: East Scotland
Posts: 163
Painless is an unknown quantity at this point
Default

I got another from UPS yesterday and Avast identified it as soon as the e-mail came down into Outlook.

As I said I like Avast.
__________________
John
Reply With Quote
  #8  
Old 03-29-2011, 12:05 PM
Cadishead Computers's Avatar
Cadishead Computers Cadishead Computers is online now
Administrator
 
Join Date: Mar 2010
Location: Manchester UK
Posts: 4,099
Cadishead Computers is a jewel in the roughCadishead Computers is a jewel in the roughCadishead Computers is a jewel in the rough
Default

I'm getting sick and tired of these UPS emails. I must be getting at least 3 a day!.

Oh and the latest is one from 'facebook'.

"Dear Customer.

A Spam is sent from your FaceBook account.

Your password has been changed for safety.

Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.


Please do not reply to this email, it's automatic mail notification!


Thank you for attention.
Your Facebook!"

Just for kicks I unrar'd this one, and immediately MSSE found it, and comes up with "VirTool:win32/injector.gen!BB" Marked as severe, with a description of this program is used to create viruses, worms or other malware.
With yet another rar file. I think I may have to blog about this one, and warn my clients..
__________________
Hope this helps
Be Safe

Nige
Cadishead Computers

Last edited by Cadishead Computers; 03-29-2011 at 12:08 PM.
Reply With Quote
  #9  
Old 03-30-2011, 05:21 PM
glricht glricht is offline
 
Join Date: Jun 2010
Location: Zephyrhills, Florida
Posts: 874
glricht has a spectacular aura aboutglricht has a spectacular aura about
Default

For the last month or so, the rogue security software scene has been pretty quiet. However, I've gotten four in the last three days, so the bad guys must be ramping things up a bit.

And two of the infections came from the UPS email! (Unfortunately, both of these users were actually waiting on a UPS package delivery, so clicked on the email without hesitation ... oops!)
__________________
Gary Richtmeyer
C&G Web Enterprises
Reply With Quote
  #10  
Old 03-31-2011, 01:20 PM
Steve202's Avatar
Steve202 Steve202 is offline
 
Join Date: Sep 2010
Location: Staffordshire, UK
Posts: 896
Steve202 is on a distinguished road
Default

Looks like the UPS emails have stopped and now they've moved on the DHL. Had a load this morning and throughout the day.
__________________
Steve
"Hello, have you tried turning it off and on again"
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 10:20 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.