Subject: Your internet access is going to get suspended
I have a client who has been getting this email for the last couple of days.
Subject: Your internet access is going to get suspended
Your internet access is going to get suspended
The Internet Service Provider Consorcium was made to protect the rights of
software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.
We are aware of your illegal activities on the internet wich were
originating from
You can check the report of your activities in the past 6 month that we have
attached. We strongly advise you to stop your activities regarding the
illegal downloading of copyrighted material of your internet access will be
suspended.
Sincerely
ICS Monitoring Team
At first, I was a bit freaked out, because they do do alot of downloading. I tried forewarding the email to me, but it was not delevired. When I got back there today, I had a better look at it.
It turns out to be a virus.
The message contains a zip file named user-EA49943X-activities.zip and after extracting the file is user-EA49943X-activities.exe. File names can be different with each email.
The malware registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe. The files cabpck.dll (known as theMal/TinyDL-T by Sophos), k86.bin and krnlcab.sys (known as the Backdoor:Win32/Haxdoor by Microsoft)) are created in the %System% folder.
A directory %Temp%\msi_setup will be created and a new connection with some host is made: http://****-****.biz/jerken/data.php?trac kid=706172616D3D6 or http://*****.net/22/data.php?trackid=7061 72616D3D636D64266C616E6
so when you get an email with this in the subject: Your internet access is going to get suspended, Delete it.
Don’t take any chances.
If its too late, check this out, and maybe it will help you solve the problem: http://forum.avast.com/index.php?topic=38620.0
myspace / facebook virus
For all you carefull people out there, here is another virus warning for you:
New worms target both MySpace and Facebook users
Kaspersky Lab, a leading developer of secure content management systems, has detected two variants of a new worm, Net-Worm.Win32.Koobface.a. and Net-Worm.Win32.Koobface.b, which attack MySpace and Facebook respectively. As part of their malicious payload, the worms transform victim machines into zombie computers to form botnets.
Even though the worms are currently only infecting MySpace and Facebook users, Kaspersky Lab analysts are warning users that the worms are designed to upload additional malicious modules with other functionality via the Internet. It is highly probable that victim machines will not only be used for spreading links via these social networking sites, but the botnets will also be used for other malicious purposes.
Net-Worm.Win32.Koobface.a spreads when a user accesses his/her MySpace account. The worm creates a range of commentaries to friends’ accounts. Net-Worm.Win32.Koobface.b, which targets Facebook users, creates spam messages and sends them to the infected users’ friends via the Facebook site. The messages and comments include texts such as Paris Hilton Tosses Dwarf On The Street; Examiners Caught Downloading Grades From The Internet; Hello; You must see it!!! LOL. My friend catched you on hidden cam; Is it really celebrity? Funny Moments and many others.
Messages and comments on MySpace and Facebook include links to http://youtube.[skip].pl. If the user clicks on this link, s/he is redirected to http://youtube.[skip].ru, a site which purportedly contains a video clip. If the user tries to watch it, a message appears saying that s/he needs the latest version of Flash Player in order to watch the clip. However, instead of the latest version of Flash Player, a file called codecsetup.exe is downloaded to the victim machine; this file is also a network worm. The result is that users who have come to the site via Facebook will have the MySpace worm downloaded to their machines, and vice versa.
“Unfortunately, users are very trusting of messages left by ‘friends’ on social networking sites. So the likelihood of a user clicking on a link like this is very high”, says Alexander Gostev, Senior Virus Analyst at Kaspersky Lab. “At the beginning of 2008 we predicted that we’d see an increase in cybercriminals exploiting MySpace, Facebook and similar sites, and we’re now seeing evidence of this. I’m sure that this is simply the first step, and that virus writers will continue to target these resources with increased intensity”.
Kaspersky Internet Security detected these threats proactively and signatures were added to the database on July 31, 2008.
Good luck to those who has already been hit.
Postcard Virus, The followup.
Postcard Virus. <=== Previus post about the postcard virus
Is it real, or is it a hoax? Well…
The postcard Virus is real. But it does not “burn” or “blow up” your hard drive. That is just made up.
As you know, (maybe) this virus spreads itself as a postcard email attachment. Once run, It infects your computer and goes through your contact on your computer. The postcard virus then takes all your contacts on your computer and emails them from there. With the attachment postcard.exe. It comes from Hallmark.
I had a client this week, that had trouble with their computer. Their Internet Explorer would not stay open, kept on closing everytime it went to a different website. If it did not close it came up with a message saying that the website is unsecure and you are going to get a virus if you view it. I doubt that google.com and yahoo.com and microsoft.com have the same virus
But the first thing I noticed was that the background had an active desktop recovery screen. I have not seen one of those in about 3 years.
Most of the services stopped working. I could not open my computer, I could not use ctrl+alt+Del, Msconfig would not work, regedit would not open. AVG was close and could not start, Aswell as Norton’s.
I then learnt that the postcard virus kills all those services that have the following strings in: AVG, Norton, defender, and basically all the known anti virus protection programs.
I did find out how exactly the virus works. but have lost the website. As soon as I find it , I will post it and let you know.
After hours of struggling, I eventually had to format the computer and reinstall.
I did believe that this virus was a hoax, But after this experience, I changed my mind. This is one of the most severe viruses I’ve dealt with in a very long time.
I hope that this answers your questions and explains some things to you.
Robert
Postcard Virus Warning.
I got this email today and thought I might share it with you.
If its a hoax, so be it. But I would rather be safe than sorry.
Virus on its way. read and let people know about it.
http://www.snopes.com/computer/virus/postcard.asp
Hi All, I checked with Norton Anti-Virus, and they are gearing up for this
virus!
I checked Snopes (URL above:), and it is for real!!
Get this E-mail message sent around to your contacts ASAP.
PLEASE FORWARD THIS WARNING AMONG FRIENDS, FAMILY AND CONTACTS!
You should be alert during the next few days. Do not open any message with
an attachment entitled ‘POSTCARD,’ regardless of who sent it to you. It is a
virus which opens A POSTCARD IMAGE, which ‘burns’ the whole hard disc C of
your computer.
This virus will be received from someone who has your e-mail address in
his/her contact list. This is the reason why you need to send this e-mail to
all your contacts It is better to receive this message 25 times than to
receive the virus and open it.
If you receive a mail called’ POSTCARD,’ even though sent to you by a
friend, do not open it!
This is the worst virus announced by CNN. It has been classified by
Microsoft as the most destructive virus ever. This virus was discovered by
McAfee yesterday, and there is no repair yet for this kind of virus. This
virus simply destroys the Zero Sector of the Hard Disc, where the vital
information is kept.
Snopes lists all the names it could come in.
