New Trojan Warning...Complete With Spam Complaint

[Floyd Fisher]

(note: the following was done by a trained professional, do not attempt stuff like this at home)

Dear Warriors:

One of my hosting clients got an 'interesting email' and I figured I'd post the details here in case you get this one.

The body of the email follows:

> From: (name and email address removed)
> Subject: I am wait your reply
> To: (recipients email address removed)
> Date: Monday, September 8, 2008, 6:38 PM
> To Whom It May Concern:
>
> I am tired of receiving messages containing malicious
> computer programs (viruses) from your e-mail address!!!
> If within 1-2 days you do not stop sending messages to my
> e-mail address, I will have to address this issue to the
> Police!...
> Today I received a hard copy of your data logs from my
> Internet service provider. The copy contains your IP
> address, logs of sending malicious programs and your e-mail
> address details...
> I am sending you the copy of the document containing your
> data and logs of sending malicious programs as the proof of
> your fault!!!!!!
> You must print the document containing the list of your
> data and logs of sending malicious programs and pass it on
> to your Internet service provider with, so that they could
> find out why the viruses are sent from your computer to my
> e-mail address!!!!
>
> Ask your Internet service provider to resolve this
> problem!!!!
>
> Do this now!!!
> Once again!!! If you donʼt stop sending the letters, I
> will address to the Police and file a lawsuit against you!!!!!!

There was an attached file to it that was a zip file that supposedly contains IP logs that allegedly prove a crime. Inside was...lo and behold, an exe file masquerading as a pdf!

My spidey sense told me then and there this was a very, very suspicious file indeed. So, like the trained professional I am, I send a copy of the file to Symantec to see what's up.

Turns out the thing is infected with 'Infostealer.Banker.C' which is explained below:

Infostealer.Banker.C - Symantec.com

Lesson: If you get an email similar to this one, ignore it and delete immediately. It's not a real spam complaint, just some yahoo trying to hack your machine.

[mysteryleaves]

thanks for info

[grumpyjacksa]

thanx

will be on the lookout

[GarrieWilson]

I'd ignore it ven w/out the attachment.

Unless I'm bored. Which I am most of the time.

[infinite]

Thanks for the heads up.... I just got one of them too and although I was 99.9% sure it was a hoax, it made me curious. Of course - I did a quick google search of the email contents and ended up at my favorite place (just NOT in the WSO section for once in my life! - lol)

Again - thanks for the heads up.

Aaron

[MrLeN]

I just received such an email 5 minutes ago so I googled it.

I found this thread. So, for what ever it's worth, here's the email:

Quote:

X-Message-Delivery: Vj0zLjQuMDt1cz0wO2w9MDthPTA=
X-Message-Status: n:0
X-SID-PRA: Elma Workman <laowco@bradleyandassociates.com>
X-Message-Info: 6sSXyD95QpV00IIgjsTh+YawfpHDgpqpzBd0/CsTm5NOvH5/6fJOphqMOPisrkL7hMd9YT4jXdLCNx6S7y+Xsw==
Received: from server.poozz.com ([72.249.17.98]) by bay0-mc9-f8.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Tue, 9 Sep 2008 01:54:24 -0700
Received: from [64.160.216.100]
by server.poozz.com with esmtp (Exim 4.63)
(envelope-from <laowco@bradleyandassociates.com>)
id 1KcywA-0008RO-UI
for MYEMAIL@MYEMAIL.COM; Tue, 09 Sep 2008 08:51:19 +0000
Received: from [64.160.216.100] by domain-relay.mspring.net; Tue, 9 Sep 2008 00:51:03 -0800
From: "Elma Workman" <laowco@bradleyandassociates.com>
To: <MYEMAIL@MYEMAIL.COM>
Subject: I am wait your reply
Date: Tue, 9 Sep 2008 00:51:03 -0800
Message-ID: <01c91216$22407580$64d8a040@laowco>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000E_01C91216.22407580"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Importance: Normal
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.poozz.com
X-AntiAbuse: Original Domain - mrlen.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - bradleyandassociates.com
X-Source:
X-Source-Args:
X-Source-Dir:
Return-Path: laowco@bradleyandassociates.com
X-OriginalArrivalTime: 09 Sep 2008 08:54:26.0115 (UTC) FILETIME=[A9749930:01C91259]

This is a multi-part message in MIME format.

------=_NextPart_000_000E_01C91216.22407580
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: 7bit

To Whom It May Concern:

I am tired of receiving messages containing malicious computer programs (viruses) from your e-mail address!!!
If within 1-2 days you do not stop sending messages to my e-mail address, I will have to address this issue to the Police!...
Today I received a hard copy of your data logs from my Internet service provider. The copy contains your IP address, logs of sending malicious programs and your e-mail address details...
I am sending you the copy of the document containing your data and logs of sending malicious programs as the proof of your fault!!!!!!
You must print the document containing the list of your data and logs of sending malicious programs and pass it on to your Internet service provider with, so that they could find out why the viruses are sent from your computer to my e-mail address!!!!

Ask your Internet service provider to resolve this problem!!!!

Do this now!!!
Once again!!! If you don’t stop sending the letters, I will address to the Police and file a lawsuit against you!!!

[BIG Mike]

Oops - sorry, wrong kind of Trojan; so I deleted my post.

[infrequentlyhere]

Got the same message this morning. The "I am wait" was a bit of a giveaway.

However, the thing that got me wondering, is that sometimes I do get spam emails that appear to come from my own email address.

So obviously, I've been put on some list, somehow.

Is there a way to get my email address off these things, or is it just the price I pay for having posted my business email address on my website?

[Floyd Fisher]

Quote:

Originally Posted by infrequentlyhere

Got the same message this morning. The "I am wait" was a bit of a giveaway.

However, the thing that got me wondering, is that sometimes I do get spam emails that appear to come from my own email address.

So obviously, I've been put on some list, somehow.

Is there a way to get my email address off these things, or is it just the price I pay for having posted my business email address on my website?

There are ways to 'hide' the email while posting it on your website.

name.nospam@nospam.mywebsite.nospam.com

or

name [at] mywebsite <dot> com

Of course, by now it's too late for any of that to do any good.

As far as getting off the list is concerned, there is no way I know of to do that as spammers never allow you to unsubscribe.

[JohnMcCabe]

Quote:

Originally Posted by Floyd Fisher

There are ways to 'hide' the email while posting it on your website.

name.nospam@nospam.mywebsite.nospam.com

or

name [at] mywebsite <dot> com

Of course, by now it's too late for any of that to do any good.

As far as getting off the list is concerned, there is no way I know of to do that as spammers never allow you to unsubscribe.

At this point, I wouldn't even attempt to get off those lists.

According to an article I read awhile back in Wired, a confirmed live email is worth about three times what a run of the mill, scraped email brings.

Spammers will harvest millions of emails, then send some message with what appears to be a legitimate unsubscribe link. The link does unsubscribe you from that list - and confirms that they found a live email. Within days, sometimes even hours, your spam load will go up significantly.

According to the article, the buying and selling of email lists purely for spamming is a multi-hundred-million dollar a year business. Most of it comes from countries that are more enamored of the hard money spam brings in than they are of treaties, laws and such.