| View previous topic :: View next topic |
| Author |
Message |
crimewatch
Cadet
Joined: Apr 02, 2004
Posts: 8
Location: USA
|
 Posted: Tue Oct 10, 2006 4:23 pm Post subject: Suspect zip attachement spoofed Circuit City sender |
|
|
So you're sitting there scratching your head thinking "What order?" Note the message body that follows:
| Quote: | Dear Customer,
Thank you for ordering from our internet shop. If you paid with a credit card, the charge on your statement will be from name of our shop.
This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.
Date : 08 Oct 2006 - 12:40
Order ID : 37679041
Payment by Credit card
Product : Quantity : Price
WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99
Subtotal : 2,449.99
Shipping : 32.88
TOTAL : 2,482.87
Your Order Summary located in the attachment file ( self-extracting archive with "37679041.pdf" file ).
PDF (Portable Document Format) files are created by Adobe Acrobat software and can be viewed with Adobe Acrobat Reader.
If you do not already have this viewer configured on a local drive, you may download it for free from Adobe's Web site.
We will ship your order from the warehouse nearest to you that has your items in stock (NY, TN, UT & CA). We strive to ship all orders the same day, but please allow 24hrs for processing.
You will receive another email with tracking information soon.
We hope you enjoy your order! Thank you for shopping with us! |
Boy oh boy... I sure as heck didn't oder no stinkin $2,449.99 Sony VAIO from Circuit City!
Really makes ya wanna open that zip file to see if you've been had, right?
HEADERS for this spam:
Return-Path: <commiserate@flyingwebsites.com> Tue Oct 10 10:38:52 2006
Received: from UnknownHost [85.101.222.158] by ds98162-1 with SMTP;
Tue, 10 Oct 2006 10:38:52 -0400
Date: Tue, 10 Oct 2006 20:33:46 +0500
From: info@circuitcity.com
Message-ID: <68185984.55835593@crawford.com>
To: shreveport@operationhomefront.net
Subject: Order ID : 37679041 Is Being Processed
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------0BABE07038B4A4C"
X-Rcpt-To: <sac@operationhomefront.net>
X-SmarterMail-Spam: SPF_None
IP Trace for this message
Reg Info:
85.101.222.158
Record Type: IP Address
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL[/quote]
|
|
| Back to top |
|
 |
Ilex
Cadet
Joined: Oct 10, 2006
Posts: 4
Location: USA
|
| Posted: Tue Oct 10, 2006 4:39 pm Post subject: |
|
|
One of my coworkers got a similar message a little while ago, only his was from "Walmart". He apparently opened the attached zip file and broke IE.
I am looking for information on how to fix this, and will keep watching this space.
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11485
|
| Posted: Tue Oct 10, 2006 4:47 pm Post subject: |
|
|
Hi, crimewatch,
I have two suggestions. First, the email your coworker received should be submitted to PERT, out anti-phising service that analyzes phish, and reports it to the appropriate authorities. You can submit the phish here:
 /modules.php?name=Fried_Phish&fp=queue
Next, the zip file should be uploaded into this thread for analysis by CC's Security Experts.
Finally, I recommend that you follow CastleCops' Malware Removal and Prevention procedure for your co-workers system, a new system CastleCops devised to enable users to either partially, or fully clean their systems without the direct aid of an expert.
You will find the Malware Removal and Prevention Procedure here:
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
If that doesn't fix the problem, then go to this Forum, read the instructions at the top of the page carefully:
/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html
Follow these instructions:
/t102301-Hijackthis_Guidelines_Read_Before_Posting.html
and one of CC's trained 1st Responders or Security Experts will help you.
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11485
|
| Posted: Tue Oct 10, 2006 4:51 pm Post subject: |
|
|
Pardon me, Ilex, I accidentally used the member name of the original poster to this thread. My mistake.
I cannot edit my prior post, so I should also note that I had three suggestions, not two. Again sorry about that also.
Finally, I also intended to welcome you to CastleCops.
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
crimewatch
Cadet
Joined: Apr 02, 2004
Posts: 8
Location: USA
|
| Posted: Tue Oct 10, 2006 5:00 pm Post subject: |
|
|
Thanks guys....
I have wared all our chapters about this item. I realize it could be a big nuthin' but better safe than sorry. I have contacted the two domains that are real and one that is listed as "For Sale" so they know their names are being used. We'll see what CircuitCity.com and crawford.com has to say. I also included a link to this discussion.
I also made the following statement in my e-mail to them:
"The attached zip file was not opened due to security concerns. I doubt your firm wishes to be associated with such suspicious activity and would want to be a party to the solution. If we find the zip file contains a malicious script, we will do what we can to prosecute the offender under new California cyber protection laws. Your cooperation would be appreciated."
Has anyone had an opportunity to examine the zip file? What should I do next?
|
|
| Back to top |
|
|
crimewatch
Cadet
Joined: Apr 02, 2004
Posts: 8
Location: USA
|
| Posted: Tue Oct 10, 2006 5:16 pm Post subject: |
|
|
Question about Fried Phish(TM)
For the text box entitled: "And/or enter a complete phish URL" what specific URL goes there, if any?
Should we mention our national website where the harvesting may have taken place (or sub-web in this case)?
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11485
|
| Posted: Tue Oct 10, 2006 5:17 pm Post subject: |
|
|
I would definitely recommend you submit the phish to PERT as I suggested earlier. PERT's news feeds are monitored by many security and police organizations, and generally gets takedown results pretty quickly. The zip file you posted earlier will be analyzed by one of our qualified Security Experts sometime in the next day or two. And they will report back in this thread what they found.
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6221
Location: USA
|
| Posted: Tue Oct 10, 2006 5:19 pm Post subject: |
|
|
Not very surprising .
STATUS: FINISHEDComplete scanning result of "37679041.exe", received in VirusTotal at 10.10.2006, 18:45:02 (CET).
Antivirus Version Update Result
AntiVir 7.2.0.25 10.10.2006 HEUR/Crypted
Authentium 4.93.8 10.10.2006 W32/Goldun.NJ@dr
Avast 4.7.892.0 10.10.2006 no virus found
AVG 386 10.10.2006 no virus found
BitDefender 7.2 10.10.2006 no virus found
CAT-QuickHeal 8.00 10.10.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 10.10.2006 Trojan.Haxdoor-131
DrWeb 4.33 10.10.2006 BackDoor.Haxdoor.359
eTrust-InoculateIT 23.73.18 10.10.2006 no virus found
eTrust-Vet 30.3.3125 10.10.2006 no virus found
Ewido 4.0 10.10.2006 no virus found
Fortinet 2.82.0.0 10.10.2006 suspicious
F-Prot 3.16f 10.10.2006 security risk named W32/Goldun.NJ@dr
F-Prot4 4.2.1.29 10.10.2006 W32/Goldun.NJ@dr
Ikarus 0.2.65.0 10.10.2006 Trojan-Downloader.Win32.Small.gen
Kaspersky 4.0.2.24 10.10.2006 Backdoor.Win32.Haxdoor.lf
McAfee 4869 10.09.2006 no virus found
Microsoft 1.1603 10.10.2006 no virus found
NOD32v2 1.1796 10.10.2006 a variant of Win32/Haxdoor
Norman 5.80.02 10.10.2006 Suspicious_F.gen
Panda 9.0.0.4 10.10.2006 Suspicious file
Sophos 4.10.0 10.05.2006 no virus found
TheHacker 6.0.1.094 10.08.2006 no virus found
UNA 1.83 10.09.2006 no virus found
VBA32 3.11.1 10.10.2006 no virus found
VirusBuster 4.3.7:9 10.10.2006 no virus found
Kaspersky can get rid of this and has a free trial : http://www.download.com/Kaspersky-Anti-Virus/3000-2239_4-10589989.html?tag=lst-0-2 . You may have to uninstall your current antivirus software to use Kaspersky .
Thanks for the sample BTW .It will come in handy for research .
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11485
|
| Posted: Tue Oct 10, 2006 5:21 pm Post subject: |
|
|
| crimewatch wrote: | Question about Fried Phish(TM)
For the text box entitled: "And/or enter a complete phish URL" what specific URL goes there, if any?
Should we mention our national website where the harvesting may have taken place (or sub-web in this case)? |
Sorry, we cross-posted, and I didn't see this until after I just posted. If you paste the full phish into the first box, that's all they need. You can leave the second box empty.
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
crimewatch
Cadet
Joined: Apr 02, 2004
Posts: 8
Location: USA
|
| Posted: Tue Oct 10, 2006 6:04 pm Post subject: THANK YOU!!! |
|
|
| nosirrah wrote: | | Not very surprising. STATUS: FINISHEDComplete scanning result of "37679041.exe", received in VirusTotal at 10.10.2006, 18:45:02 (CET). Thanks for the sample BTW .It will come in handy for research . |
Okay, so the zip extracts to a .exe file that does nothing and on the surface doesn't look like a tojan or virus, right? It's not an altered file extension? I've run virus scans that cleared one day and and got a hit the on the same file the next day. That said, since I didn't unzip the file (if it's a true zip file) I should just be able to delete it, right? No time bomb here? 
I'm still trying to figure out how this came to me sac(at)operationhomefront.net when it was addressed to the other chapter.
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6221
Location: USA
|
| Posted: Tue Oct 10, 2006 6:22 pm Post subject: |
|
|
Even unzipping it should not infect your system . I did and nothing happened . I will be running it tonight on my test system to see what it unleashes .
You will be fine just deleting it .
As to how you got this spam I am not the guy to ask . The members of our phishing forums would be better able to answer this question .
|
|
| Back to top |
|
|
crimewatch
Cadet
Joined: Apr 02, 2004
Posts: 8
Location: USA
|
|
| Back to top |
|
|
crimewatch
Cadet
Joined: Apr 02, 2004
Posts: 8
Location: USA
|
| Posted: Tue Oct 10, 2006 6:37 pm Post subject: |
|
|
| nosirrah wrote: | | As to how you got this spam I am not the guy to ask . The members of our phishing forums would be better able to answer this question . |
Outstanding... thank you so much Nosirrah! Maybe we're related? I grew up spending some time at the business end of a Marine captain's swagger stick. Call me "whosirmesirnosirnotIsir!"
Oh, I did join PERT, will donate and become more involved. As you can see from my profile, I've been lurking and learning from all of you for a while.
|
|
| Back to top |
|
|
Ilex
Cadet
Joined: Oct 10, 2006
Posts: 4
Location: USA
|
| Posted: Tue Oct 10, 2006 6:48 pm Post subject: Thank You!!! |
|
|
Thank you, PCBruiser and nosirrah for your speedy and informative responses!
I moved the affected PC to my work area and found that IE works again since the re-boot. I will be getting started on the clean-up shortly, thank you again for the links and instructions.
My vile file appears to be the same one as previoulsy submitted; should I still upload it to the Phish Phry or will that be redundant?
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6221
Location: USA
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
Another question if I may?
