Virus WarningThis will definitely save some headaches

by Milton
13 replies
We all know the Internet is a minefield of tricks and scams this is probably the latest.
Some of my older posts are about hackers and such and it gives me a little bit of satisfaction when I can beat them, but alas sometimes they get past me and then I have to go hunt them down.
This email arrived in my inbox today. Looks innocent enough and came to my main email account. However that wasn’t the end of it.
In my defence, I market a lot on ebay and I import a lot of stuff. I had almost competed a new project that I started 7am this morning, it’s now almost 2am my time. Of course I haven’t been working all that time. My wife went to the opera and I stayed home and watched a movie. Sorry transgressed.
Well the name is similar to a company I deal with, and a quick glance –similar products--without thinking I clicked the view details link. (Slap forehead) Well that’s the best excuse I could come up with.

Now this is where you pay attention.
If you download the supposed invoice into your documents folder it places a false windows defender file in your c:/docsandsettings/applicationdata/windefender
and c:/docsandsettings/applicationdata/google.exe
It puts an entry into your registry and goes to work, it spreads tentacles all through your computer and I can’t figure out what it is trying to do.
Your mala ware programs don’t see it so their of now use and the only way you can delete the files you download is to sit and keep trying until you grab it between it’s attempts to run.
The good news is if you have a good antivirus program (I like the way you guys spell much easier to type than programme) Of course you all do don’t you? I use Avast (the paid for one) and it stops it from whatever it wants to do but it is damn annoying with that big red warning flashing every couple of minutes.

I think I killed it but I won’t know until I reboot and since its so late I’m beat and when I go through my notes and detail the procedure in the morning I’ll let you know.

In the meantime don’t click on this email or anything that looks like it and don’t worry if you already have your antivirus will hold it at bay but it is viciouse and hard to get rid of.
If anyone has any experience with this please let us all know if you have solved the problem.

I will sort it out in the morning and let you know.
Cheers
Milton

Copy of email below


Dear customer,
Thank you for shopping with Link removed.com, the No.1 Online Asian Entertainment Store. Your order has been successfully placed. We will process and dispatch your order to you as soon as possible.

To view details of your order go to : Link in removed here but whatever you don't click it if you get this email or one like it




Order Number
:
141214102011BEC
Payment Method
:
Credit Card
Shipping Method
:
Express
Number of Suggested Shipment(s)
:
1

Item Description
Catalog No.
Quantity
Unit Price (USD)
Total (USD)
Logitech QuickCam Ultra Vision
1004716754
1
207.99
207.99
Freecom Hard Drive 3.5" External Hard Drive 640GB
1004712221
1
229.99
229.99


Sub-total
:
USD 437.98
Tax
:
USD 0.00
Shipping (Express)
:
USD 45.49
Order Total
:
USD 483.47


Once your payment has been received and verified your payment, your order will be processed. The estimated availability information shown during checkout will only apply after your payment has been verified.
This order confirmation has been automatically generated by our order tracking system.
Should you have any questions about your order, please visit the following website for updated order information details at "My Account".

Thank you for shopping at Link removed .com , and please come again!


Yours sincerely,
Customer Service Department
YesAsia.com
#headaches #save #virus #warningthis
  • Profile picture of the author rosetrees
    I just added that same email to my antiscam blog a few minutes ago, after it was forwarded to me by a friend.

    Edit: Where you've typed "link removed.com" at the bottom of your post - the link to the zip file is still there.

    Edit again: The link's been removed
    {{ DiscussionBoard.errors[4871658].message }}
  • Profile picture of the author art72
    Good share.

    I find myself opening less and less emails these days, especially when I know; I didn't buy any Asian entertainment products... lately
    Signature
    Coming Soon... *Laser Targeted Lead Generation Services
    {{ DiscussionBoard.errors[4872066].message }}
  • Profile picture of the author CDarklock
    Back to the editor:

    Originally Posted by Milton View Post

    Yours sincerely,
    Customer Service Department
    (you missed one ).com
    Signature
    "The Golden Town is the Golden Town no longer. They have sold their pillars for brass and their temples for money, they have made coins out of their golden doors. It is become a dark town full of trouble, there is no ease in its streets, beauty has left it and the old songs are gone." - Lord Dunsany, The Messengers
    {{ DiscussionBoard.errors[4872089].message }}
    • Profile picture of the author rosetrees
      Originally Posted by CDarklock View Post

      Back to the editor:
      No - that link goes to a legitimate website - the one that the scammer is pretending to represent.

      The fake link is much nastier and ends in .zip
      {{ DiscussionBoard.errors[4872258].message }}
      • Profile picture of the author CDarklock
        Originally Posted by rosetrees View Post

        No - that link goes to a legitimate website - the one that the scammer is pretending to represent.
        Which he has redacted everywhere else in the email:

        Thank you for shopping with Link removed.com,


        I assume he intended to remove it there, too.
        Signature
        "The Golden Town is the Golden Town no longer. They have sold their pillars for brass and their temples for money, they have made coins out of their golden doors. It is become a dark town full of trouble, there is no ease in its streets, beauty has left it and the old songs are gone." - Lord Dunsany, The Messengers
        {{ DiscussionBoard.errors[4872273].message }}
        • Profile picture of the author Milton
          Originally Posted by CDarklock View Post

          Which he has redacted everywhere else in the email:



          I assume he intended to remove it there, too.
          Oops!
          Thanks CDarklock I did intend to remove it but I was beat (sorry) and missed it. Fortunately it does go to a legit website. I wouldn't advise clicking on it though.
          So far the the antivirus is keeping it at bay while I try to sort it out.
          Just an aside, I download all my emails on an old AMD since most viruses seem to come through emails, though you can pick them up just surfing.It only has 160gb hard drive makes it easy to sort out. I do my important work on a computer that hardly ever sees the web. I keep regular backups so I don't have a problem, but I enjoy the chase so I'll get back on it.
          Milton
          {{ DiscussionBoard.errors[4874123].message }}
  • Profile picture of the author Milton
    Well after sleeping on this here is the outcome.

    This is what happened.

    As outlined in my original post, I clicked the link containing the infected file that is disguised as a link to an invoice and uploaded it to my Docs folder. When the file is clicked it doesn't open but it goes into action and it will not allow you to delete it in the normal way. Fortunately my anti virus program stopped it from doing whatever it was supposed to. The only problem I could see was that the Anti virus was flashing a huge red warning sign telling me that it had prevented it from running each time it tried and that became extremely annoying, as well as the fact that something has intruded into the machine. The computer seemed not to be affected in anyway. If it had not been stopped from running I've no idea of what it would do. I was tempted to let it run but caution prevailed since the computer is on a network. I tried three mala ware programs but they saw nothing.

    If you try to delete the original folder it will not let you, you receive a message telling you it is busy. I managed to delete it by waiting for the Anti virus to tell me it had stopped it from running get a few delete clicks in at that time and finally zapped it.

    But it wasn't finished; it had placed two files I mentioned before in a separate folder.
    I found the folder by running Hijack This and reading the report. The files end with "windefender.exe and google.exe. It was pure luck that being familiar with most of the folders on my computer these looked unfamiliar and were in the Hijack This report. When I clicked on them I saw that they had just been created confirming that they were nothing to do with windefeder that is associated with xp.

    My assumption is that the windefender.exe file allows the google.exe file to do its thing, whatever that is, but I'm not sure about that.

    I tried using Hijack this to delete or repair these files but they were impervious to any attempt to delete them in anyway. Always giving an error message that they were busy or being used to run a program.

    Since that was not working I gave up and went to bed... This morning when I booted the computer it locked up completely. It began loading windows and then shut down. Strangely the screen saver came on and was seeing the mouse but nothing else.

    This is where the impossible became simple. With no alternative left I booted in safe mode got a bright idea and ran a restore to the day before. The restore saw the files and renamed them and end of story. Being renamed they couldn't work and since I was lucky enough to have deleted the original download there was nothing to re-install them.

    I ran a search on C: drive and found them (the newly renamed files) in c:/windows/prefetch I copied them moved the copies to another folder just in case and zapped the original.

    The outcome is the computer seems to be faster than before, probably because of all the anti mala ware runs I did.

    So it was that simple.

    Cheers
    Milton
    {{ DiscussionBoard.errors[4874979].message }}
  • Profile picture of the author Jake Gray
    When opening mail from a foreign sender, always proceed with caution. If
    you have a gut-feeling about the email, do not open it. Even though people
    have an anti-virus, it will not fully 100% prevent the attack.

    Using a hardware and software firewall can definitely help prevent such attacks
    from occurring as you are able to set rules (Input and output).

    Thanks for the heads up though...

    I'm sure this will serve as a reminder for most.

    Jake Gray
    {{ DiscussionBoard.errors[4875217].message }}
    • Profile picture of the author kolled
      A quick way of sorting out such a problem with Avast is to schedule a boot-time scan. This scan finds any infectious files before they load into the computer memory.

      To schedule a scan, open Avast and click on Scan Computer on the left.

      Click on Boot-time scan below that and then click on the Schedule Now button on the right.

      If you want to restart immediately, click on the restart now link, otherwise finish off your work and restart later.

      I have found this procedure very effective in smoking out those pesky files.
      {{ DiscussionBoard.errors[4875309].message }}
      • Profile picture of the author ExRat
        Hi Milton,

        I got that email too.

        I pointed it out to my girlfriend as a clever spam email, not least because they had got hold of my primary paypal email address and full name.

        A quick (but careful) hover over the link revealed that the destination url was different to the anchor url and that it was a .zip rather than a webpage.

        One of the psychological angles they are using is to try and encourage the recipient to assume that their credit card has been used by a crook to order those goods - this way, the concern and anger immediately felt by the victim is likely to over-ride their normal calmness and encourage them to click through in order to investigate the perceived fraud.
        Signature


        Roger Davis

        {{ DiscussionBoard.errors[4875336].message }}
        • Profile picture of the author rosetrees
          Originally Posted by ExRat View Post

          .......... not least because they had got hold of my primary paypal email address and full name.
          My anti-scam blog went crazy with visitors yesterday, as it shot to no1 spot within minutes of me posting about this.


          The consensus of opinion amongst the posters confirms what Ex-rat says - most people were receiving the email to their paypal address. Some seem to believe that either Paypal was hacked or one or more of their vendors has been hacked.


          One person said it was sent to an old paypal email address that they hadn't used for over a year. I wonder if somehow an old paypal user list is "out there" somewhere? So beware of any email using your paypal email address and your full name, just in case.
          {{ DiscussionBoard.errors[4875499].message }}
        • Profile picture of the author CDarklock
          Originally Posted by ExRat View Post

          One of the psychological angles they are using is to try and encourage the recipient to assume that their credit card has been used by a crook to order those goods
          This is an old trick that I personally haven't seen used since the late 1990s. I actually came pretty close to falling for it back then; I got an official-looking PayPal email, got worried, and clicked the link.

          Then IE asked where I wanted to save the ZIP file. So I went "WTF" and clicked cancel, then took a closer look at the email.


          On some level, I admired the guy for convincing me to click. I'm weird that way. There's a part of me that will always delight in seeing someone else playing dirty tricks, even if I would never use them myself and think he's a jackhole for building his business on it.
          Signature
          "The Golden Town is the Golden Town no longer. They have sold their pillars for brass and their temples for money, they have made coins out of their golden doors. It is become a dark town full of trouble, there is no ease in its streets, beauty has left it and the old songs are gone." - Lord Dunsany, The Messengers
          {{ DiscussionBoard.errors[4876226].message }}

Trending Topics