• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Interesting email- smells like phish

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
ihrsetrdr

ihrsetrdr

Señor Senior Member
Joined
May 17, 2005
Location
High Desert, Calif.
From: Facebook Security, Luann Mccandliss <[email protected]>

Dear user of facebook.

Because of the measures taken to provide safety to our clients, your password has been changed.

You can find your new password in attached document.

Thanks,

Your Facebook.

Zip archive attachment (FaceBook_Password_Nr12568.zip)
Click to expand...

The really interesting part is that it came to an email account that is not the one I signed up on Facebook with. ;)
 
is there a cool new virus in the Zip?

gee what do you do with a E-mail from DCRAPO :) which might makes sence if it was from the desk of Donald Crapoli and not Luann
 
Psycogeec said:
is there a cool new virus in the Zip?

gee what do you do with a E-mail from DCRAPO :) which might makes sence if it was from the desk of Donald Crapoli and not Luann
Click to expand...

There might be, I'd be happy to fwd it for analysis, maybe Symantec might be interested.

Even though I'm running Linux on the box I receive email with, I'm not sure I'd want to take a peek unless there was a way to safe-handle it, like putting it in a sandbox or jail. ;)
 
ihrsetrdr said:
There might be, I'd be happy to fwd it for analysis, maybe Symantec might be interested.

Even though I'm running Linux on the box I receive email with, I'm not sure I'd want to take a peek unless there was a way to safe-handle it, like putting it in a sandbox or jail. ;)
Click to expand...

Mind forwarding it to me @ gmail? Same name as here :beer:
 
ihrsetrdr said:
There might be, I'd be happy to fwd it for analysis, maybe Symantec might be interested.

Even though I'm running Linux on the box I receive email with, I'm not sure I'd want to take a peek unless there was a way to safe-handle it, like putting it in a sandbox or jail. ;)
Click to expand...

forward to me as well.

r cochran619@roadrunner com

no spaces in either spot you see there.
 
I see many of these every day. The attachment they link to is usually an html doc or a zip file with an exe, with a java exploit that installs a fake AV on your system.

Whenever I see them, I think to myself, "Job Security"
 
OK, you guys have several emails, none of which contain the .zip file. The first was my fault- forgot to attach it. My second attempt was no good because gmail does not allow attached .exe files, even when archive.

Third attempt failed from my POP account, got the following notice:
This report relates to a message you sent with the following header fields:

Message-id: <1285273697.3479.1.camel
Date: Thu, 23 Sep 2010 13:28:17 -0700
From: xxxxxxxxxxx
To:xxxxxx.com, xxxxx.com
Subject: [Fwd: Facebook password details changed.]

Your message cannot be delivered to the following recipients:

Recipient address: xxxxxxl.com
Reason: SMTP transmission failure has occurred
Diagnostic code: smtp;552-5.7.0 Our system detected an illegal attachment on your message. Please http://mail.google.com/support/bin/answer.py?answer=6590 to review our attachment guidelines. o20si3081967anb.110
Remote system: dns;gmail-smtp-in.l.google.com (TCP|206.46.173.13|39688|74.125.157.27|25) (mx.google.com ESMTP o20si3081967anb.110)
Click to expand...

I'll try to host it, and PM with a link. :shrug:
 
Sounds like a virus.

Facebook is also down at the moment. I can't access it from my phone, iPod, Computer, or from school. It's just giving me a DNS error.

EDIT: It's upish now. Horribly slow though.
 
Code: 
Antivirus      Version      Last Update      Result
AhnLab-V3     2010.09.22.00     2010.09.22     -
AntiVir     7.10.12.22     2010.09.23     -
Antiy-AVL     2.0.3.7     2010.09.23     -
[COLOR="Red"]Authentium     5.2.0.5     2010.09.23     [COLOR="Red"]W32/Oficla.BC[/COLOR][/COLOR]
Avast     4.8.1351.0     2010.09.22     -
Avast5     5.0.594.0     2010.09.22     -
BitDefender     7.2     2010.09.23     -
CAT-QuickHeal     11.00     2010.09.23     -
[COLOR="Red"]ClamAV     0.96.2.0-git     2010.09.23     [COLOR="Red"]Heuristic.Trojan.SusPacked.TMS[/COLOR][/COLOR]
Comodo     6174     2010.09.23     -
Emsisoft     5.0.0.37     2010.09.23     -
eTrust-Vet     36.1.7872     2010.09.23     -
F-Prot     4.6.2.117     2010.09.22     -
Fortinet     4.1.143.0     2010.09.23     -
GData     21     2010.09.23     -
Ikarus     T3.1.1.88.0     2010.09.23     -
Jiangmin     13.0.900     2010.09.21     -
K7AntiVirus     9.63.2582     2010.09.22     -
Kaspersky     7.0.0.125     2010.09.23     -
[COLOR="Red"]McAfee     5.400.0.1158     2010.09.23     [COLOR="Red"]Bredolab.gen.c[/COLOR][/COLOR]
McAfee-GW-Edition     2010.1C     2010.09.23     -
[COLOR="Red"]Microsoft     1.6201     2010.09.23     [COLOR="Red"]TrojanDropper:Win32/Oficla.N[/COLOR][/COLOR]
[COLOR="Red"]NOD32     5473     2010.09.23     [COLOR="Red"]Win32/Oficla.IJ[/COLOR][/COLOR]
Norman     6.06.06     2010.09.23     -
nProtect     2010-09-23.02     2010.09.23     -
[COLOR="Red"]Panda     10.0.2.7     2010.09.22   [COLOR="Red"]  Suspicious file[/COLOR][/COLOR]
PCTools     7.0.3.5     2010.09.23     -
[COLOR="Red"]Prevx     3.0     2010.09.23     [COLOR="Red"]High Risk Cloaked Malware[/COLOR][/COLOR]
Rising     22.66.00.07     2010.09.21     -
Sophos     None     2010.09.23     -
Sunbelt     6915     2010.09.23     -
SUPERAntiSpyware     4.40.0.1006     2010.09.23     -
TheHacker     6.7.0.0.029     2010.09.23     -
TrendMicro     9.120.0.1004     2010.09.23     -
VBA32     3.12.14.1     2010.09.22     -
ViRobot     2010.9.23.4057     2010.09.23     -
VirusBuster     12.65.22.0     2010.09.23     -
Additional information
Show all
MD5   : de2078f8c6b10d6d3c4491f2c699bfb4
SHA1  : 5ebb5a2380d8a73604bc837bccc6c37bda926f09
SHA256: 70e5b6a92df507708742a34171e14bbebb7ecdc54c546e95bf5ae06518ebef5a

submitted to virustotal .com by someone else and I reanalyzed it as well.

EDIT

Scanned with Malwarebytes and it didn't find anything
Code: 
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4678

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

9/23/2010 5:24:06 PM
mbam-log-2010-09-23 (17-24-06).txt

Scan type: Quick scan
Objects scanned: 1
Time elapsed: 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Going to put a toy kitchen together for the daughter's 2nd birthday so I'll be off of the computer for a while(until later tonight)
 
Checked with MSE and Malwarebytes, didn't find anything. My MSE definitions were from yesterday. Updated to today's, and it found it. I was just curious how current the spam viruses are, and apparently they're fresh out of the oven.
 
bchur83 said:
I see many of these every day. The attachment they link to is usually an html doc or a zip file with an exe, with a java exploit that installs a fake AV on your system.

Whenever I see them, I think to myself, "Job Security"
Click to expand...

ditto
 
ratbuddy said:
Checked with MSE and Malwarebytes, didn't find anything. My MSE definitions were from yesterday. Updated to today's, and it found it. I was just curious how current the spam viruses are, and apparently they're fresh out of the oven.
Click to expand...

This is why as a programmer I never ran AV on my system. Just don't click on those things. Don't go to those sites that can infect you. Periodically run a system scan.

Anti-virus can only protect from known infections unless you go with a really performance-killing type. So if it's a new virus, and pretty much any virus you see in the news going around and infecting everyone is new, there's no protection from it yet.

When our office would get a new virus in an email, all of us programmers would laugh and open it up in textpad to see how they wrote it. It was usually the same code, just with a few lines changed.

This is a programmers-only stance, and a system-without-sensitive-data stance. Wasn't going to take any risks when I had to write software for a company with a large amount of cash to protect. Turned on AVG.

Point being, a lot of what I've seen in the anti virus world is a sham and basically selling people stuff using scare tactics. It gives people a false sense of security, and every really screwed up computer loaded with trojans and viruses I have had to fix had an active anti virus running (*points* Norton and McAffee). Even with an anti virus, you still need to not be stupid.

EDIT: Yes, I use anti virus. I just realize it doesn't give me free reign to go to questionable web sites, click on any old attachment, or go along my business without keeping my eyes open.
 
Last edited:
Got the headers of the original message? I'll show you where it came from. Also:


McGrace said:
This is why as a programmer I never ran AV on my system. Just don't click on those things. Don't go to those sites that can infect you.
Click to expand...
Problem is these days legitimate sites can be inadvertently hosting malware through something like a Cross-Site Scripting vulnerability or Clickjacking technique. Facebook, Twitter, a hospital's website in my area, heck even my city's news site all became inadvertent malware launchers due to being exploited by XSS. Even though most AV products are a step behind the latest threats they can still flag down a lion's share of the virus/malware payloads that come through an exploit like this.


(Disclaimer: I do work for a company that sells network security solutions in hardware/software/cloud platforms, but I do have some experience in tracking things like these down)
 
You must log in or register to reply here.

Similar threads

c627627
How I modded my Windows 10 installation - How (not) to install Windows 10
Replies
2
Views
9K
c627627
c627627
c627627
How I modded my Windows 8 installation - How (not) to install Windows 8
Replies
9
Views
7K
theELVISCERATOR
theELVISCERATOR
AZDiablo
DocumentRoot LAMP server problem
Replies
1
Views
3K
mbentley
mbentley
c627627
How I modded my Windows 7 installation - How (not) to install Windows 7
2 3
Replies
56
Views
21K
Mpegger
Mpegger
Jolly-Swagman
HOW TO INSTALL V6.22b2 (DEINO) CLIENT FROM SCRATCH
2
Replies
32
Views
4K
David
David
Back