Subject: Your internet access is going to get suspended

October 2, 2008 · Filed Under Email

I have a client who has been getting this email for the last couple of days.

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of
software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were
originating from

You can check the report of your activities in the past 6 month that we have
attached. We strongly advise you to stop your activities regarding the
illegal downloading of copyrighted material of your internet access will be
suspended.

Sincerely
ICS Monitoring Team

At first, I was a bit freaked out, because they do do alot of downloading. I tried forewarding the email to me, but it was not delevired. When I got back there today, I had a better look at it.
It turns out to be a virus.

The message contains a zip file named user-EA49943X-activities.zip and after extracting the file is user-EA49943X-activities.exe. File names can be different with each email.

The malware registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe. The files cabpck.dll (known as theMal/TinyDL-T by Sophos), k86.bin and krnlcab.sys (known as the Backdoor:Win32/Haxdoor by Microsoft)) are created in the %System% folder.

A directory %Temp%\msi_setup will be created and a new connection with some host is made: http://****-****.biz/jerken/data.php?trac kid=706172616D3D6 or http://*****.net/22/data.php?trackid=7061 72616D3D636D64266C616E6

so when you get an email with this in the subject: Your internet access is going to get suspended, Delete it.
Don’t take any chances.

If its too late, check this out, and maybe it will help you solve the problem: http://forum.avast.com/index.php?topic=38620.0

Bookmark It