Has anyone seen this?

[Jim Ferguson]

I received the following message with an attachment. The attachment is a
Pif file and I did not make any such application as described. I suspect a
virus, but my AV did not detect anything. I have not opened the attachment.



Dear Sir,

Thank you for your online application for a Business Account with Wells
Fargo. We appreciate your interest in banking with us.

In order to open a Business Account, we must receive specific credit
information that is verifiable. Because Wells Fargo has no locations in your
state, we are unable to confirm the credit information in your application.
Consequently, we regret to say that we cannot open an account for your
business at this time.

Attached are your Wells Fargo Application and your Social Security File.

Sincerely,

Sherli Chin
Business Resource Center Services
Wells Fargo Bank

 

[Mike Calderon]

Yes, I received just such a message today as well. I have not opened the
attachment either since I also suspect a virus. My AV did not detect
anything as well

 

[David H. Lipman]

It's new, started on 7/16

http://vil.nai.com/vil/content/v_100487.htm

McAfee calls this Trojan "Downloader-DI"

variations:
From: Wells Fargo Accounting
To: username
Subject: Re: Wells Fargo Bank New Business Account Application - ID# 4489

From: Citibank Accounting
To: username
Subject: Re: Your credit application

From: E-Loan Consumer Department
To: username
Subject: Re: Your E-Loan Refinance Application Declined

Dave

 

[John Elsbury]

I received the following message with an attachment. The attachment is a
Pif file and I did not make any such application as described. I suspect a
virus, but my AV did not detect anything. I have not opened the attachment.

<snip>

Anything with a PIF attachment just has to be a virus. Forward it
to your AV company.

Dear Sir,

Thank you for your online application for a Business Account with Wells
Fargo. We appreciate your interest in banking with us.

Anything like this from a "big name" company which you are not
expecting has to be suspect. It might be social engineering, or
perhaps the virus has picked up a legitimate e-mail from the victim's
mailbox (but see below)

In order to open a Business Account, we must receive specific credit
information that is verifiable. Because Wells Fargo has no locations in your
state, we are unable to confirm the credit information in your application.
Consequently, we regret to say that we cannot open an account for your
business at this time.

Attached are your Wells Fargo Application and your Social Security File.

Red flag. Whatever a Social Security file is, I trust that a big name
company would not send these around by e-mail anyway. Makes it look
more like a social engineering attempt, perhaps the hope is that the
recipient will think it's somebody else's business information and
open the attachment out of curiosity. No doubt it will work in a
small minority of attempts.

Sincerely,

Sherli Chin
Business Resource Center Services
Wells Fargo Bank

Might be worth forwarding a copy (without the attachment, of course)
to the security manager at Wells Fargo explaining that you think it
was a virus-generated e-mail and that the virus component was removed
by you. They will probably get lots of queries about it and they
should be grateful.

 

[Jim Ferguson]

Thanks. This is indeed the description and I have received the other two
versions of the letters shown. I have notified my AV provider.

 

[Gabriela Salvisberg]

It's new, started on 7/16

http://vil.nai.com/vil/content/v_100487.htm

McAfee calls this Trojan "Downloader-DI"

I doubt that, even if mail body and attachment name are as in the
description of Downloader-DI. NAI's description says that KAV knows it
by the name "Webber" and NAV by "Berbew". I've scanned the file using
KAV (updates today, scan all files), Symantec Online Scan and Trend's
Housecall. Nothing found.

I've sent the file to the labs of KAV, F-Secure, Sophos and Trend.

Gabriela

 

[Charles Crume]

Haven't you guys been watching the news??

There's a new scam where crooks are sending out emails telling you to go to
a web site which, although it looks very similiar to a real company's site,
is really a forgery. Once there, they ask for your information, then open
credit card accounts and buy things, steal your idenity, etc.

The feds already busted some 17 year old for doing this. Been in the news
last day or so.

Charles...

 

[David W. Hodgins]

I received the following message with an attachment. The attachment is a

Yes. AVG calls it I-Worm/Heloc

 

[John Elsbury]

Haven't you guys been watching the news??

There's a new scam where crooks are sending out emails telling you to go to
a web site which, although it looks very similiar to a real company's site,
is really a forgery. Once there, they ask for your information, then open
credit card accounts and buy things, steal your idenity, etc.

The feds already busted some 17 year old for doing this. Been in the news
last day or so.

Charles...

Hi there

This is, actually, generated by a virus. See the next post down.

The scam you are referring to is generically known as "phishing" - I
have received several odd e-mails purporting to come from Ebay or
Paypal which wanted me to enter my account, password, SSN, and so on..


Although this looks a bit like like a phishing attempt, it is more an
exercise in social engineering: the author hopes that the recipient
will be overcome by the desire to see what looks like somebody else's
personal information, and will click on/launch the attachment: thus
allowing the payload to operate.

According to my reading the payload connects to a website (which may
or not still exist) and downloads a trojan component which sends
information from the compromised PC to the "phisher", and which may
also open ports on the victim PC.

 

[Tim Backstrom]

Yes. AVG calls it I-Worm/Heloc

What is sent to you is not a virus/worm/trojan. If you double-click on
it, it attempts to connect to a site to download the Backdoor-AXJ
trojan.

http://vil.nai.com/vil/content/v_100487.htm

 

[FromTheRafters]

What is sent to you is not a virus/worm/trojan.

It is not *really* what it pretends to be, so....

I would say it qualifies as a trojan. So far from what I have
read, it is puposefully spammed out so is not a worm. It could
probably be considered a 'worm component' if it downloads
something that when executed, propagates it further.

If you double-click on
it, it attempts to connect to a site to download the Backdoor-AXJ
trojan.

Then it would be a trojan of the downloader variety, what
it downloads is irrelevent to that definition. It just so happens
that it downloads a backdoor program.

http://vil.nai.com/vil/content/v_100487.htm

Method of infection? ~ harumph! ;o)

 

[Gabriela Salvisberg]

Replying to "myself" because of replies I got from the labs:

I doubt that, even if mail body and attachment name are as in the
description of Downloader-DI. NAI's description says that KAV knows it
by the name "Webber" and NAV by "Berbew". I've scanned the file using
KAV (updates today, scan all files), Symantec Online Scan and Trend's
Housecall. Nothing found.

I've sent the file to the labs of KAV, F-Secure, Sophos and Trend.

In the meanwhile KAV [1], F-Secure [2] and Sophos [3] replied: It's a
new variant of Webber (aka Downloader-DI or Heloc). They have released
updates or IDE files to detect it.

[1] http://www.viruslist.com/eng/viruslist.html?id=61335
[2] http://www.f-secure.com/v-descs/webber.shtml
[3] http://www.sophos.com/virusinfo/analyses/trojdownldrdi.html

BUT: I found some kind of bug in my AVP 3.5.1.5. I've updated it again
tonight to see if the new Webber variant will be detected.

I saved the malware file to a folder (called "suspect") on my desktop
and wanted to scan the file by right-clicking it. There's no
"AntiViral Toolkit Pro" in the context menu. I can scan every other
file, folder or drive without any problem, but not *this* file. If I
scan my "suspect" folder itself, I get an error message in the
scanning results: "ERROR: delete wrong pointer (00000000)". What does
that error message mean?

I have set AVP to scan all files, and normally it detects every
malware. Some days ago I received an older Webber variant, which had
been detected immediately when it arrived in the inbox of my e-mail
program (AK-Mail).

The bug is: For testing purpose I have put a real PIF file on my
desktop (it was a link to my locally installed version of F-Prot for
DOS). I cannot scan that PIF file either (no AVP rightclick-menu entry
available). So it looks like AVP 3.5.1.5 doesn't scan PIF files, even
if set to scan all files.

I've reported this to Kaspersky, but I wonder: Did anyone else in this
group encounter this bug?

Gabriela

 

[null]

The bug is: For testing purpose I have put a real PIF file on my
desktop (it was a link to my locally installed version of F-Prot for
DOS). I cannot scan that PIF file either (no AVP rightclick-menu entry
available). So it looks like AVP 3.5.1.5 doesn't scan PIF files, even
if set to scan all files.

Rename eicar.com to eicar.pif to verify that KAV will indeed scan
files with a .PIF extension I can't imagine what your problem is.




Art
http://www.epix.net/~artnpeg

 

[Steven Stern]

NAV calls it "trojan.berbew" or something like that. They released non-beta
definitions around 8PM on the 21st.

I received the following message with an attachment. The attachment is a
Pif file and I did not make any such application as described. I suspect a
virus, but my AV did not detect anything. I have not opened the attachment.



Dear Sir,

Thank you for your online application for a Business Account with Wells
Fargo. We appreciate your interest in banking with us.

In order to open a Business Account, we must receive specific credit
information that is verifiable. Because Wells Fargo has no locations in your
state, we are unable to confirm the credit information in your application.
Consequently, we regret to say that we cannot open an account for your
business at this time.

Attached are your Wells Fargo Application and your Social Security File.

Sincerely,

Sherli Chin
Business Resource Center Services
Wells Fargo Bank

Steve Stern
Manager, WUGNET VirusCentral Forum
http://go.compuserve.com/viruscentral?access=public

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on

Replying to "myself" because of replies I got from the labs:

I doubt that, even if mail body and attachment name are as in the
description of Downloader-DI. NAI's description says that KAV knows it
by the name "Webber" and NAV by "Berbew". I've scanned the file using
KAV (updates today, scan all files), Symantec Online Scan and Trend's
Housecall. Nothing found.

I've sent the file to the labs of KAV, F-Secure, Sophos and Trend.

In the meanwhile KAV [1], F-Secure [2] and Sophos [3] replied: It's a
new variant of Webber (aka Downloader-DI or Heloc). They have released
updates or IDE files to detect it.

[1] http://www.viruslist.com/eng/viruslist.html?id=61335
[2] http://www.f-secure.com/v-descs/webber.shtml
[3] http://www.sophos.com/virusinfo/analyses/trojdownldrdi.html

BUT: I found some kind of bug in my AVP 3.5.1.5. I've updated it again
tonight to see if the new Webber variant will be detected.

I saved the malware file to a folder (called "suspect") on my desktop
and wanted to scan the file by right-clicking it. There's no
"AntiViral Toolkit Pro" in the context menu. I can scan every other
file, folder or drive without any problem, but not *this* file. If I
scan my "suspect" folder itself, I get an error message in the
scanning results: "ERROR: delete wrong pointer (00000000)". What does
that error message mean?

I have set AVP to scan all files, and normally it detects every
malware. Some days ago I received an older Webber variant, which had
been detected immediately when it arrived in the inbox of my e-mail
program (AK-Mail).

The bug is: For testing purpose I have put a real PIF file on my
desktop (it was a link to my locally installed version of F-Prot for
DOS). I cannot scan that PIF file either (no AVP rightclick-menu entry
available). So it looks like AVP 3.5.1.5 doesn't scan PIF files, even
if set to scan all files.

I've reported this to Kaspersky, but I wonder: Did anyone else in this
group encounter this bug?

Gabriela

I have to put pif and exe files into a folder and then right click the
folder to invoke the AVP context.
Everything else works OK

Bart

 

[Bart Bailey]

Rename eicar.com to eicar.pif to verify that KAV will indeed scan
files with a .PIF extension I can't imagine what your problem is.




Art
http://www.epix.net/~artnpeg

It's the fact that windows calls a different context class
for pif and exe files than any others

Bart

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on

No manual scan of a
single PIF file, because there's no AVP entry in the right-click menu.

It's a windows thing, and not AVP

Bart

 

[David H. Lipman]

Art:

I have not tried playing with the PIF extension before. McAfee v7.0 Enterprise
had no problem.

7/22/2003 7:08:01 PM Moved (Clean failed because the file isn't cleanable)
DLIPMAN-3\lipman C:\Documents and Settings\lipman\Desktop\NewFile.pif EICAR
test file

Nice experiment...Thanx !

Dave

 

[Mal]

Gabriela Salvisberg wrote:

Problem #2 isn't solved yet: No manual scan of a
single PIF file, because there's no AVP entry in the right-click menu.

Gabriela

All AV's (and other context sensitive apps) I've seen are similar. Seems
to apply to .lnk's as well as a few other extensions.

As Bart suggests, it could well be a windows thing and no application is
able to hook those context menus.

 

[Damn Straight]

Gabriela Salvisberg wrote:



All AV's (and other context sensitive apps) I've seen are similar. Seems
to apply to .lnk's as well as a few other extensions.

As Bart suggests, it could well be a windows thing and no application is
able to hook those context menus.

Not just AV apps, there aren't any;
"Quick View"
"Open with Irfan",
"Browse with ACDSee",
"Edit with WinHex",
or other context conveniences that normally appear.