Worldpay CARD Transaction Confirmation Spam/Virus

June 25th, 2009

This afternoon I received an email with the subject “Worldpay CARD transaction Confirmation“, which instantly caught my attention because I use Worldpay while paying off one of my credit cards, and for a moment I wondered if I had done it and forgotten about it.

The email content was as follows:

Thank you!

Your transaction has been processed by WorldPay, on behalf of Amazon Inc.

The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Amazon Inc has received your order,
and will inform you about delivery.
Sincerely,
Amazon Team

This confirmation only indicates that your transaction has been processed successfully.
It does not indicate that your order has been accepted.
It is the responsibility of Amazon Inc to confirm that your order has been accepted, and to deliver any goods or services you have ordered.

All very convincing and official-looking, but Amazon doesn’t use Worldpay, and the email was not sent to amazon@<my email domain> – it was sent to my office address which is only used for, well, office stuff.

The email attachment is a simple HTML file so it is not picked up as anything dodgy, but it comprises a single META REFRESH line directing you to an executable file hosted elsewhere, so don’t open the attachment.

Tags: , , ,
Posted in Internet, Spam & Viruses | No Comments »

‘Your internet access is going to get suspended’ Email

November 10th, 2008

If you receive an email with the subject ‘Your internet access is going to get suspended’ then don’t panic – it’s another Virus doing the rounds that sends out these worryingly-phrased emails in an attempt to trick you into running the attachment and infecting yourself with the payload. Several sites have picked up on it and a few of the popular virus scanning packages had spotted is already.

The message reads:

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of
software authors, artists.  We conduct regular wiretapping on our networks,
to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have
attached. We strongly advise you to stop your activities regarding the illegal
downloading of copyrighted material of your internet access will be suspended.

Sincerely
ICS Monitoring Team

The message contains a randomly-named zip file in the format user-XXXXXXXX-activities.zip and after extracting the file is user-XXXXXXXX-activities.exe where XXXXXXXX is random characters.

The malware registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe. The files cabpck.dll (known as theMal/TinyDL-T by Sophos), k86.bin and krnlcab.sys (known as the Backdoor:Win32/Haxdoor by Microsoft)) are created in the %System% folder.

A directory %Temp%\msi_setup will be created and a new connection with some host is made: http://****-****.biz/jerken/data.php?trac kid=706172616D3D6 or http://*****.net/22/data.php?trackid=7061 72616D3D636D64266C616E6

It makes a change from the usual ‘Please find your receipt attached’ approach, but my main concern is the number of clients who will instantly think they’ve done something wrong and go ahead and get infected.

Tags: , ,
Posted in Internet, Spam & Viruses | No Comments »

Email Exchange of the Week

April 25th, 2007

By now, many of you will be well aware of my hatred for all things MySpace-related. Here’s a typical email exchange, illustrating just why I detest them…

    Subject: you are downloaded stuff to my computer without my permission
    i do not know why u r pop up on my screen but can u please tnot pop up

Sure, I can ‘tnot pop up’. Suspecting another d04.net scam, since the email had come in via the d04.net account, I wrote back:

    Hi,

    D04.net does not download anything to anyone’s computer. It is a simple web page. Please read about what d04.net is before emailing. Thanks.

    http://www.d04.net/

    What link did you click on to get to the website? What site did it link to? (should end in d04.net is it’s on our service).

    D

Of course, that didn’t actually make the writer stop and think…

    yes it does it putting nasty web sites on my comnputer thank i have alrwady report it to spam any way u do not know what u are talking about every time i trying to send someone a message a my space your web site po up why

Oh noes! I’ve been ‘alrwady report to spam’! I write back again…

    Please tell me what address is at the top of the page. Do you see a blue bar across the top with a ‘Report This Site’ button on it? If so, please click the button and I will know what site you are talking about.

    Please don’t tell me what my site does or doesn’t do – I wrote it. If you are not willing to answer the questions I ask, I can’t help you.

    D

But no, I was WRONG! I obviously DON’T know what my own website does…

    yes it does when i try to get on my space to send message to some one why do your web page come up u know i am going to report u to spam

Perhaps my web page comes up because.. I dunno.. you’re not looking at MySpace anymore or something equally impossible? Honestly, I couldn’t be bothered to write back after this because it was only going to go downhill from here. Sheesh!

Tags: , , , ,
Posted in Internet, Problems, Spam & Viruses | No Comments »

Sunday Morning Laptop Repair

June 25th, 2006

One of those strange coincidences happened where by I’ve got two laptops to clean up over the same weekend. The first is having problems getting rid of a popup that tries to flog the owner some dodgy antivirus crap, and the second is just running a slow as a sloth on valium.

With the home page hijacked and changed to www.syssecuritysite.com is wasn’t difficult to ascertain that the first machine had been hijacked by a Smitfraud variant. This seems to have come from a bizarre video codec downloaded which in turn was bundled (probably illegally) with Virtual Girl 2. Yes folk, the lust for desktop porn has claimed another victim.

So to cleanup – the very first thing I did was remove VG2 because this is a work’s machine and you really shouldn’t be installing this crap on a work’s PC. Next up was a standard run-through/remove with AdAware and Spybot Search & Destroy and finally I downloaded SmitfraudFix by S!ri, rebooted into safe mode and user the Scan and Clean options to get rid of the last few pieces of crap.

Interesting point to note: Smitfraud appears to launch several processes at once which keep an eye on each other so that if one of them is ended, the other(s) will relaunch it to keep the whole thing running. This means it’s pretty difficult to remove without booting into Safe Mode.

A quick reboot and scan and all’s well – now on to the next machine.

Tags: , ,
Posted in Computers, Internet, Software, Spam & Viruses | No Comments »