The Anatomy of An Attack

by Brian on April 1, 2010

In the ‘good old days’ of the Internet, virus writers were just out to make computers do silly things like play a song randomly or change the desktop background to something dirty. In recent years, virus writing has become a big (evil) business. Virus writers have gotten very smart and very tricky.

There are many different psychological angles virus writes can take when they attempt to infiltrate your computer. The following paragraph is only describing one of the MANY methods a virus can attack your computer. The attack I will describe below is what I would call a “hybrid phishing” scheme.

I received this email early Sunday morning from an address I did not recognize (warning sign #1). My immediate suspicions were confirmed when I read the subject line “your Adds have stopped running!”. I knew the email was a fake because the only online ads I run are through Google and Facebook, and this sender’s email matched neither.

You can read the email below. It uses poor spelling and says they have received a wire transfer of $25K from my company. The virus writer is asking what services the money was for and they suggested that the attached (infected) file included information about this wire transfer.

Kids, don’t try this at home…

Knowing this was very likely a virus file, I VERY CAREFULLY downloaded the file and uploaded the file to an online virus scan service. I have pasted the results below that confirmed my suspicion; this is a brand new virus.

Only about 1/3 of the antivirus engines out there even know this virus exists. We call this a “Zero Day Attack”. Because the virus is released and spreads before the antivirus companies can catch on and release updates to protect you from infection.

How can you stay protected? Here are the basics:

1.) Keep your antivirus program up to date. If you have a business network, use a server-based managed antivirus solution. (contact me for details)

2.) Keep your operating system fully up to date through Windows Updates

3.) DELETE emails from people you don’t know

4.) Be very cautious of email attachments, even from people you know and trust

5.) If you get an email that appears to be from your bank, paypal, facebook, or any other institution…DO NOT CLICK a link in the email. Instead, go directly to the company’s website by typing the address into your browser.

It’s a dangerous world out there, folks. Call me for a FREE network analysis to make sure that your network has all of the protections it needs.

Brian Vance

President

PC TLC, Inc.

812-499-9587

www.pctlc.com

The email I received is pasted here:

from

Lupe Cooley <l.cooley_ae@minimaxconsulting.com>

to

:my email

date

:Sun, Mar 28, 2010 at 12:11 AM

subject

: Your adds have stopped running!

we have received an $25,122 wire transfer from your company. We have no ideea how this transfer was placed in our account but your email address was in the note for beneficiary section. Attached is a copy of the incomming transfer provided by our bank.Please reply and let us know for what services was the transfer sent to our account…

File Attached: ntkr.doc (virus)

Here are the results from the Online Virus Scan Service:

Antivirus

Version

Last Update

Result

a-squared

4.5.0.50

2010.03.29

Trojan-Dropper!IK

AhnLab-V3

5.0.0.2

2010.03.29

AntiVir

7.10.5.247

2010.03.29

TR/Dropper.Gen

Antiy-AVL

2.0.3.7

2010.03.29

Authentium

5.2.0.5

2010.03.29

Avast

4.8.1351.0

2010.03.29

Avast5

5.0.332.0

2010.03.29

AVG

9.0.0.787

2010.03.29

BitDefender

7.2

2010.03.29

Trojan.Downloader.JMZC

CAT-QuickHeal

10.00

2010.03.29

ClamAV

0.96.0.0-git

2010.03.29

Comodo

4426

2010.03.29

DrWeb

5.0.2.03220

2010.03.29

eSafe

7.0.17.0

2010.03.28

eTrust-Vet

35.2.7394

2010.03.29

F-Prot

4.5.1.85

2010.03.29

F-Secure

9.0.15370.0

2010.03.29

Trojan-Dropper:W32/Agent.DIQH

Fortinet

4.0.14.0

2010.03.29

GData

19

2010.03.29

Trojan.Downloader.JMZC

Ikarus

T3.1.1.80.0

2010.03.29

Trojan-Dropper

Jiangmin

13.0.900

2010.03.29

K7AntiVirus

7.10.1004

2010.03.22

Kaspersky

7.0.0.125

2010.03.29

McAfee

5934

2010.03.28

McAfee+Artemis

5934

2010.03.28

Artemis!60DF604563A1

McAfee-GW-Edition

6.8.5

2010.03.29

Trojan.Dropper.Gen

Previous post:

Next post: