Email attackment warning

N

null

I just received a surprisingly well crafted email claiming to be from
my ISP. The attackment is named "updated-password.zip". The message
begins with a very personalized and convincing looking "Dear user
<my user name>" and goes on to say that "You have successfully changed
your password .... ", etc. The return address is a legit one used by
my ISP for info purposes.

The zip contains what KAV calls Trojan.Win32.crypt.d for which Sophos
has some info here:

http://www.sophos.com/virusinfo/analyses/w32rbotaej.html

Now, how many ISPs send zip files with password info to their
customers? Yet I can see where inexperienced users might easily
fall into the trap. The message is very official-looking. So beware!

There was a clue buried in the header, in this case. There is a email
addy of another customer of my ISP with a similar user name to mine.
Since all the routing was within my ISP's domain, a quick look at the
header might also be deceiving. Also, the header shows that the zip
attackment passed through my ISP's malware (av) screening. That
fact might also deceive some users into believing the attackment is
ok.

Puh-lease! Deleted ALL unsoliticed attackments. Period.

Art

http://home.epix.net/~artnpeg
 
M

Mat

I getting a lot of this as well,however Nod is reporting it as W32/Mytob.eb
worm.Even though antivirus catching it still a nuisance having to delete
several infected emails every few minutes.Not had this much trouble since
Swen was released.
 
N

null

I getting a lot of this as well,however Nod is reporting it as W32/Mytob.eb
worm.Even though antivirus catching it still a nuisance having to delete
several infected emails every few minutes.Not had this much trouble since
Swen was released.
Click to expand...

I'm going to throw in some general "safe hex" here:

DO NOT TRUST ANTIVIRUS SCANNERS!!!!

Immediately delete all unsolicited email attackments. Use a sane email
app such as Mozilla email, Thunderbird, or Pegasus. They do not allow
users to Run attackments. And always set for plain text, both in
receiving and sending email.

Art

http://home.epix.net/~artnpeg
 
D

Dave Cohen

I'm going to throw in some general "safe hex" here:

DO NOT TRUST ANTIVIRUS SCANNERS!!!!

Immediately delete all unsolicited email attackments. Use a sane email
app such as Mozilla email, Thunderbird, or Pegasus. They do not allow
users to Run attackments. And always set for plain text, both in
receiving and sending email.

Art

http://home.epix.net/~artnpeg
Click to expand...

Not sure what you are saying. I have Pegasus but also use OE. In either case
I have to manually open or save an attachment unless there is some option
that does otherwise that I am not aware of. Since I also use mailwasher I
feel fairly safe in letting OE display the message in bottom window, but I
only do a mail check on demand.
Dave Cohen
 
M

Mat

This is weird seems every evening around 6pm all this virus activity
stops.Its like some companys pc is infected and when they finish work and
shutdown viruses stop sending.I bet tomorrow i ll get more soon as there pc
turned back on hmmmmmmm.
 
N

null

Not sure what you are saying. I have Pegasus but also use OE. In either case
I have to manually open or save an attachment unless there is some option
that does otherwise that I am not aware of.
Click to expand...

Since you use Pegasus, you should know that it doesn't allow the user
to Run attackments. That means it's well designed enough to not pull
stupid stunts like transfering control over to the operating system.
Some email apps warn, but still allow the user to Run the file.
Warning isn't enough. No sane email app should transfer control of
attackments to the operating system.

Pegasus does allow Opening attackments in some other application.
For example, you can Open a html file in a browser. That means the
default browser must NOT be IE. Make sure the system default browser
is Gecko based ... Mozilla, Firefox or K-Meleon.

Sure, you can always Save attackments to a test folder and scan them.
If you play that game, make sure you wait a few days before bothering
to scan them. Then when av vendors have had a chance to update
their sigs and defs to the latest malware, you can upload the file for
scanning by a multiplicity of av scan engines at a couple of sites.

Best be safe than sorry.

Art

http://home.epix.net/~artnpeg
 
S

slartyb

I'm going to throw in some general "safe hex" here:

DO NOT TRUST ANTIVIRUS SCANNERS!!!!
Click to expand...



my rule is "trust nobody"









Immediately delete all unsolicited email attackments. Use a sane email
app such as Mozilla email, Thunderbird, or Pegasus. They do not allow
users to Run attackments. And always set for plain text, both in
receiving and sending email.

Art

http://home.epix.net/~artnpeg
Click to expand...

ban rectum thermometers
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

New variant of Feebs 2
Another new email worm 5
Newer Mytob variant 2
Blank email header 2
What is BEST Removal Tool for MyDoom?? 4
email question 4
Outlook with Outlook Express? 10
NOD32 ownership? 4

Top