PC CyberTekThe cyberspace visitor’s information center

It’s been a busy 48 hours for the e-mail virus ruffians. I suspect with Mother’s Day approaching it will only get worse. Keep an eye out for fake Mother’s Day e-cards and the like. The following examples were all received in the last 48 hours.

The first one I have a feeling might trick a few people. It claims to be from the iTunes Store..

From: iTunes Store [certificate@itunes.com]
Subject: Thank you for buying iTunes Gift Certificate!

Hello!

You have received an iTunes Gift Certificate in the amount of $50.00 You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.

iTunes Store.

The payload is in the attachment iTunes_certificate_497.zip which contains the file iTunes_certificate_497.exe
ESET NOD32 identifies this as Win32/Oficla.GT trojan

Next up, are 3 variations of the, we missed you and couldn’t deliver something scam.

From: DHL Support Kimberly Parsons [delivery@dhl-usa.com]
Subject: DHL delivery problem Nr22755.

Hello!

We were not able to deliver the postal package sent on the 8th of March in time because the addressee’s address is not correct.
Please print out the invoice copy attached and collect the package at our department.

DHL Customer Services.

From: DHL Manager Javier Stratton [courier@dhl-usa.com]
Subject: DHL delivery problem Nr00684.

Dear customer!

We were not able to deliver the postal package which was sent on the 21st of February in time because the addressee’s address is wrong.
Please print out the invoice copy attached and collect the package at our office.

DHL Express Services.

From: Service Manager Chandra Morales [manager@ups.com]
Subject: UPS Delivery Problem NR 52979.

Dear customer!

We failed to deliver postal package which was sent on the 15th of February in time because the recipient’s address is erroneous.
Please print out the invoice copy attached and collect the package at our department.

DHL Customer Services.

The attachments for these were:
DHL_invoice_6817.zip which is Win32/Oficla.GQ trojan
DHL_invoice_2817.zip which also is Win32/Oficla.GQ trojan
UPS_invoice_5978.zip – which is a variant of Win32/Injector.BNG trojan

Remember to keep an eye out for fake Mother’s day scams too.

Time to add another fake e-mail to the long list of social engineering e-mail scams. This one looks like this.

Subject 4912-3337 Apple AppStore Confirmation
Sender Apple Up-To-Date Add contact

Apple Store
Call 1-800-MY-APPLE

#4368-66525
Order Details

You can also contact Apple Store Customer Service or visit online for more information.

Visit the Apple Online Store to purchase Apple hardware, software, and third-party accessories.
Copyright 2010 Apple Inc. All rights reserved.

This one wants you to click on the order details link, which I have removed, but if you look at the “Order Details” link more closely, you will see that it doesn’t go to the apple store but links to some place called goofbomb. I don’t feel like testing out my anti-virus or risk getting a 0-day virus or some malware, let’s just assume it’s a bad place. So keep your eyes out for this and other e-mails that claim you have purchased something, or missed a delivery, and gives you a link to your “order” or has an attachment for you to open. Quite a few of these going around these days.

Surf Safe

Just a quick warning about a couple of e-mails that had a virus attachment. They are both pretending to be from U.S. Shipping companies.

First we have this one from “UPS”

From: UPS Manager Romeo Law [delivery@ups.com]

Subject:  UPS Delivery Problem NR 08488.

Dear customer!

We failed to deliver the package sent on the 6th of January in time because the recipient’s address is incorrect.

Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.

Dear customer!
We failed to deliver the package sent on the 6th of January in time
Read the rest of this entry »

Just got an e-mail that says it’s from e-cards@hallmark.com with the subject: You have received A Hallmark E-Card! It had an attachment called Postcard.zip which was identified by my antivirus, I use NOD32 by E-Set

__________ ESET NOD32 Antivirus warning, version of virus signature database 4693 (20091216) __________

Warning, ESET NOD32 Antivirus found the following threats in the message:

Postcard.zip – probably a variant of Win32/Merond.AA worm – deleted
Postcard.zip > ZIP > document.chm .exe – probably a variant of Win32/Merond.AA worm – was a part of the deleted object

This came from one of my works TV affiliates mailing list. So I am guessing it is one that goes through your address book and sends itself to everyone on there.

Figured this was also a good time to remind people to be careful with any “e-cards” they get. Watch out for infected attachments, as was the case with this one, and watch for links that send you to websites designed to infect you or steal your identity / information.

I’m sure you have all seen this before. Your surfing along, when all of a sudden, you get a pop-up that alerts you that your computer is infected! YIKES! What to do!??! Ah, you can just download a “free” program that will fix it for you. I’d hope you already know, this is a scam. It’s one of two things. You can either download a legit program that will scan your computer, tell you how badly infected it is and you can purchase a full version of the program to remove all your “infections.” Just in case your not really infected, these programs will increase your infection count by adding your cookies to the list. Pretty good way to jack up the numbers, but I wouldn’t call cookies an infection. And I sure don’t have to buy any program to remove them. The other thing that could happen, and probably will is, you will download a program that will then install it’s own addware. Turns out they have a name for this stuff now, and that name is Scareware.

Turns out many people are still falling for this scam. I had to clean my parents computer up, from one of these. Try doing it over VNC, and you may have your patience tested like I did. Anyways, the old folks aren’t the only ones falling for this, and now their is a new variation. Spware Protect 2009, is the new breed of scareware. Not only does it con you by getting you to install it, it actually does damage to get you to “purchase” it for $49.99 and install a trojan downloader. Meanwhile it increases the pop ups telling you how infected your computer is. So you order the program with your credit card and guess what, you just gave them your credit card number, no hacking needed. A local electronics store, with the initials RS, got hit by it and from what I could get out of them, sounds like the whole corp has been infected through their network.

Since I first found out about this last week, I’ve found out that it’s now also being installed by the conficker virus. At first I was thinking, wouldn’t people be suspicious if there was a new piece of software, on their computer? I sure as hell would. Then I started thinking about it, in a corporate situation. Some poor schmuck, in accounting or where ever, could think it was installed by their IT Dept. So the keylogger installed would run until the computer crashed. The one good thing is, the domain that was selling Spyware Protect 2009 is gone. Keep an eye out for variations with new names and the same or slightly modified interface.

-Your friendly neighborhood PC Cybertek

With all the media hype about conficker, I thought you might like a good collection of trustworthy resources. Beware of websites that have recently registered as “conficker help.” In fact, just avoid them all together. There’s also reports of malicious software masquerading as detection and cleaning tools for Conficker-infected computers, as well as spam offering the same.

There’s no need to try and figure out what’s safe or real and what has more sinister plans in mind. The good folks at dshield.org have been keeping an updated list of third party information on conficker. Here you can find plenty of free conficker detection and removal tools, general information and the microsoft patch. That should help keep you updated, safe and informed.

I’ve also found out about one other real neat way of detecting it, but it’s for more advanced users, so I’m going to make a seperate post about it.