Thursday, April 12, 2007

Trojan.Packed.13


University of Bangor, Wales

As of today, the last major written chapter of my PhD dissertation, prior to the empirical work, is almost done and I therefore can soon fully concentrate on gathering questionnaires and working on tabulating my results.

I have just received my third email within 24 hours with an attachment with the following message.

This message has been processed by Symantec's AntiVirus Technology.

postcard.exe was infected with the malicious virus Trojan.Packed.13 and has been deleted because the file cannot be cleaned.

The latest email had the subject Your Friend and Lover. Hmm, I knew that one was phony right away! I am glad Norton caught these viruses as some Trojan have managed to end up in my registry previously. Over time I have added more security programs. My opinion is that Microsoft and their operating systems should prevent viruses and spyware to a greater degree. There should be less necessity for secondary security software. The three email messages came to an email address associated with this blog, and so the email address could have been found through this blog, although I am not stating that this is likely. I shall continue posting articles and comments on some of the interesting material that is emailed to me. I do this is for both educational and satirical purposes. Below is a link from Symantec with information about Trojan.Packed.13.

http://www.symantec.com/enterprise/security_response/weblog/2007/04/middle_east_war_or_just_more_j.html

Middle East War, or just more junk email?Over the weekend Security Response received samples of the latest variants of Trojan.Peacomm and W32.Mixor doing the rounds. The social engineering trick employed this time is in appealing to people's sense of fear as well as natural curiosity of a possible Middle East war involving the United States, Iran and Israel.

Subjects include "USA Just Have Started World War III" / "Missle Strike: The USA kills more then 20000 Iranian citizens" / "Israel Just Have Started World War III" / "USA Missile Strike: Iran War just have started". From the sample emails that we have seen to date, the actual email body is blank, and the attached files have various names such as "video.exe", "movie.exe", "click here.exe", "clickme.exe", "readme.exe" and "read more.exe".

Proactively detected by Symantec antivirus software as Trojan.Packed.13, the underlying threats are actually nothing new. They are simply minor variants of Trojan.Peacomm and W32.Mixor (named W32.Mixor.AR@mm in this instance) which have been repacked in an attempt to avoid existing detection, and appear to have been largely successful at that attempt. The only differences between W32.Mixor.AR@mm and previous versions apart from the obvious email subjects are the filenames and registry values. A writeup has been posted containing this information. Continuing along the lines of the previous variant, Trojan.Peacomm employs rootkit technology, as described in a blog entry posted back in January.

Even though Symantec customers were protected from this without the need to update definitions, there is never a good time to let your guard down, even during a festive season when goodwill to others should surely be the overriding theme. The more shocking or unbelievable the subject of emails such as these, the more the contents should be treated with the suspicion they usually deserve. Hopefully the Easter bunny delivered something a little more pleasant to the majority than this tedious offering.

Posted by John McDonald on April 9, 2007 12:10 AM

This arrived by email and is not from my ISP.

Posted by at

11 comments:

  1. Dr. Russell Norman MurrayThursday, April 12, 2007 at 1:14:00 PM PDT

    I of course not do not open unknown attachments.

    ReplyDelete
  2. EdwardThursday, April 12, 2007 at 2:50:00 PM PDT

    Can I help with the questionnaire?

    ReplyDelete
  3. Dr. Russell Norman MurrayThursday, April 12, 2007 at 2:53:00 PM PDT

    Sure Eduardo. I can email or mail one out to you. You can email me at rnmwales@shaw.ca if you wish.

    Cheers

    Russ

    ReplyDelete
  4. RuthieThursday, April 12, 2007 at 6:39:00 PM PDT

    Your Friend and Lover?

    Heh. I wonder how many people they actually fool with that one.

    You should get a Mac. I've never gotten a virus since I've had my Mac. And once you go Mac, you never go back (I'm sorry, I couldn't resist).

    ReplyDelete
  5. Dr. Russell Norman MurrayThursday, April 12, 2007 at 6:42:00 PM PDT

    Good one, Ruthie.

    I still have my UMAX, Mac clone from 1996.

    ReplyDelete
  6. AnonymousFriday, April 13, 2007 at 4:38:00 AM PDT

    Hi Russ, this is why I don't post my email address ever, this kind of thing is bound to happen if you do...Wales looks beautiful, I love greenery...

    ReplyDelete
  7. Living Hope for AllFriday, April 13, 2007 at 6:42:00 AM PDT

    Congratulations on completing your last chapter!!!

    ReplyDelete
  8. Dr. Russell Norman MurrayFriday, April 13, 2007 at 12:30:00 PM PDT

    WW: Thanks that is a good point. The one email address needs to be provided in order to allow persons to request a questionnaire from me, however, you are correct I am taking a risk. The other email address, which has received the Trojans, I have listed with this blog in order for persons to email me with blog related issues off site. This happens occasionally and I think some issues between bloggers should be dealt with by email and not in comments. But, again you are correct a risk is being taken.

    Kermit: Thanks!

    ReplyDelete
  9. Dr. Russell Norman MurraySaturday, April 14, 2007 at 5:33:00 PM PDT

    My latest email:

    Menglei Company

    Hello,

    Compliments of the day, and my best wishes to you. I am Ms. Lauren Zhu The GM Assistant of the above company. This company is into the supply of Home Textiles, Engine Parts, Stationery and china wares, greeting cards etc. This company was established in 2004, under the Company and Allied Matter with the Corporate Affairs Commissions of China.

    Having gone through a methodical search, I decided to contact you hoping that you will find this proposal interesting. we are interested in employing your services to work with us as a private payment agent that can help us establish a medium of receiving payment for goods that was supplied to our customers in in your location,as the company is already experiencing difficulties in receiving payments from them.

    Most of our customers pay out in cheques and money orders and we do not have an account in your country that will clear this money. It is upon this note that we seek your assistance to stand in as our representative in your country. It is important to let you know that, as our representative, you will receive 10% of whatever amount you clear for the company and the balance will be for the company.

    Please if you are interested to work with us in good faith and honesty, Contact Mr. Wu Fubin the Chief Executive Officer (CEO.) of this company who is currently in UK. through this email address: mr.wufubin101@gmail.com

    Endeavor to let him know that I directed you to him; Please let him know your decision rather than keeping him waiting because I will inform him about my contacting you. The CEO. Will tell you more on receipt of your response. If you are not interested, kindly pardon me for contacting you. Thanks for your time and remain blessed.

    Very Respectfully,


    Ms. Lauren Zhu
    Goods for Import,
    Freight Fwdg. Svcs.

    ReplyDelete
  10. Dr TeethMonday, April 16, 2007 at 1:12:00 AM PDT

    Just thinking about security patches, do you just apply them when the little shield icon appears in the system tray ,or do you Use the "Windows Update" enrty in the Start Menu? Even then do you just apply the recommended patches only?

    I always go to Windows Update, Select "Custom", select all updates that it finds, and install them. That guarantees you have ALL the patches availble, not just the essential ones.

    ReplyDelete
  11. Dr. Russell Norman MurrayMonday, April 16, 2007 at 1:34:00 AM PDT

    Thanks Richard.

    I have at one time or another done all that you mentioned, but mostly allow the auto updates. But, thanks to your comment I shall check with the custom option more often.

    Cheers and good morning.

    Russ

    ReplyDelete

Subscribe to: Post Comments (Atom)