Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The complaint that's an attack

Published: 2008-09-09
Last Updated: 2008-09-09 10:28:12 UTC
by Swa Frantzen (Version: 2)
0 comment(s)

Stephane wrote in with an email received on an administrative role email address that read like it came from an inexperienced spam target barking up the wrong tree.

From: [suppressed to protect the innocent]
To: [suppressed to protect the innocent]
Subject: I am wait your reply

To Whom It May Concern:

I am tired of receiving messages containing malicious computer programs (viruses) from your e-mail address!!!
If within 1-2 days you do not stop sending messages to my e-mail address, I will have to address this issue to the Police!...
Today I received a hard copy of your data logs from my Internet service provider. The copy contains your IP address, logs of sending malicious programs and your e-mail address details...
I am sending you the copy of the document containing your data and logs of sending malicious programs as the proof of your fault!!!!!!
You must print the document containing the list of your data and logs of sending malicious programs and pass it on to your Internet service  provider with, so that they could find out why the viruses are sent from your computer to my e-mail address!!!!
Ask your Internet service provider to resolve this problem!!!!

Do this now!!!
Once again!!! If you don't stop sending the letters, I will address to the Police and file a lawsuit against you!!!

With an attachment called IPLOGS.zip, that contains:

$ unzip -v IPLOGS.zip
Archive:  IPLOGS.zip
 Length   Method    Size  Ratio   Date   Time   CRC-32    Name
--------  ------  ------- -----   ----   ----   ------    ----
   81408  Defl:N    58399  28%  09-08-08 00:01  8b1aedc6  IPLOGS.exe
--------          -------  ---                            -------
   81408            58399  28%                            1 file

 

Sending it over to Virustotal yielded following result:

AhnLab-V3 -
AntiVir -
Authentium W32/Malware!OC-based
Avast -
AVG PSW.Generic6.ABAB
BitDefender -
CAT-QuickHeal -
ClamAV Trojan.Zbot-2110
DrWeb -
eSafe -
eTrust-Vet -
Ewido -
F-Prot W32/Malware!OC-based
F-Secure Trojan.Win32.FraudPack.gen
Fortinet PossibleThreat
GData Trojan.Win32.FraudPack.gen
Ikarus Trojan.Win32.FraudPack
K7AntiVirus -
Kaspersky Trojan.Win32.FraudPack.gen
McAfee -
Microsoft PWS:Win32/Zbot.gen!B
NOD32v2 -
Norman -
Panda -
PCTools -
Prevx1 -
Rising -
Sophos Troj/PWS-ATH
Sunbelt -
Symantec Infostealer.Banker.C
TheHacker -
TrendMicro -
VBA32 -
ViRobot -
VirusBuster -
Webwasher-Gateway -

The zbot trend seems to be forming among the AV vendors.

The most tricky about this will be to convince some out there that our real complaints are real, but that's perhaps the goal of these scam artists.

--
Swa Frantzen -- Section 66

Keywords: spam zbot
0 comment(s)
Diary Archives