New Mytob Spamming!
Hmmm….seems to have been a busy week so far, a new Bropia variant spreading yesterday and we have a new Mytob spreading today! [Insert deity of choice here] knows what the rest of the week will bring?
So, what do we know about the new Mytob variant so far?
Well the e-mail looks like this, with one of two known subject lines, these being either:
ACCOUNT ALERT
or
Account Alert
The body of the e-mail looks something like this, with a few variable items, such as the domain and phishing like url:
Dear Valued Member,
According to our terms of services, you will have to confirm your e-mail by the following link, or your account will be suspended within 24 hours for security reasons.
http://www.[Random or local domain name]/confirm.php?account=[e-mail address it was sent to]
After following the instructions in the sheet, your account will not be interrupted and will continue as normal.
Thanks for your attention to this request. We apologize for any inconvenience.
Sincerely, [Random] Abuse Department
There is NO attachment and the URL in the e-mail is bogus and goes to one of several IP addresses to attempt to download the malware [payload] itself.
The From address used for the e-mail is taken from the infected system which sent the e-mail and the address is FORGED.
As I write this detection is somewhat patchy with only SOPHOS, Kaspersky, Avast, AntiVir, e-Trust and Ikarus currently detecting it. However, I expect that by the end of the day all of the anti-virus vendors will have detection updates available.
If you are niave enough to click on the URL and unlucky enough for the file to be downloaded [file name is: “Confirmation_Sheet.pif”] and then execute the downloaded file your system will become infected and start spamming people with e-mails like you one you received.
Details on the downloaded file:
FileName: Confirmation_Sheet.pif
FileDateTime: 23/05/2006 15:22:26
Filesize: 105472
MD5: f86115cd2ade54cdcfdbeb9037f98c43
CRC32: 44742219
File Type: PE Executable
There seems to be a second variant out with another file of the same name from another IP address and with different properties:
So, you won’t get infected if you don’t download and run the file by clicking on the ‘phishing-like’ URL [web-link] in the e-mail. Just delete them instead as they are nothing more than spam with a link to a malware file.FileName: Confirmation_Sheet.pif
FileDateTime: 23/05/2006 15:10:08
Filesize: 104448
MD5: 04c8947f68c3e9b616fb544a50fa2ffc
CRC32: B0B85EAA File
Type: PE Executable
More to follow as I get it…..stay tuned!
Links to descriptions:
Please note that this blog has now moved to my own hosted domain here: http://momusings.com/momusings/.
A full RSS/ATOM feed can be found there.
All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.
