In the ‘good old days’ of the Internet, virus writers were just out to make computers do silly things like play a song randomly or change the desktop background to something dirty. In recent years, virus writing has become a big (evil) business. Virus writers have gotten very smart and very tricky.
There are many different psychological angles virus writes can take when they attempt to infiltrate your computer. The following paragraph is only describing one of the MANY methods a virus can attack your computer. The attack I will describe below is what I would call a “hybrid phishing” scheme.
I received this email early Sunday morning from an address I did not recognize (warning sign #1). My immediate suspicions were confirmed when I read the subject line “your Adds have stopped running!”. I knew the email was a fake because the only online ads I run are through Google and Facebook, and this sender’s email matched neither.
You can read the email below. It uses poor spelling and says they have received a wire transfer of $25K from my company. The virus writer is asking what services the money was for and they suggested that the attached (infected) file included information about this wire transfer.
Kids, don’t try this at home…
Knowing this was very likely a virus file, I VERY CAREFULLY downloaded the file and uploaded the file to an online virus scan service. I have pasted the results below that confirmed my suspicion; this is a brand new virus.
Only about 1/3 of the antivirus engines out there even know this virus exists. We call this a “Zero Day Attack”. Because the virus is released and spreads before the antivirus companies can catch on and release updates to protect you from infection.
How can you stay protected? Here are the basics:
1.) Keep your antivirus program up to date. If you have a business network, use a server-based managed antivirus solution. (contact me for details)
2.) Keep your operating system fully up to date through Windows Updates
3.) DELETE emails from people you don’t know
4.) Be very cautious of email attachments, even from people you know and trust
5.) If you get an email that appears to be from your bank, paypal, facebook, or any other institution…DO NOT CLICK a link in the email. Instead, go directly to the company’s website by typing the address into your browser.
It’s a dangerous world out there, folks. Call me for a FREE network analysis to make sure that your network has all of the protections it needs.
Brian Vance
President
PC TLC, Inc.
812-499-9587
The email I received is pasted here:
|
||||||||||||||||||||||||||
we have received an $25,122 wire transfer from your company. We have no ideea how this transfer was placed in our account but your email address was in the note for beneficiary section. Attached is a copy of the incomming transfer provided by our bank.Please reply and let us know for what services was the transfer sent to our account…
File Attached: ntkr.doc (virus)
Here are the results from the Online Virus Scan Service:
|
Version |
Last Update |
Result |
|
|
a-squared |
4.5.0.50 |
2010.03.29 |
Trojan-Dropper!IK |
|
AhnLab-V3 |
5.0.0.2 |
2010.03.29 |
– |
|
AntiVir |
7.10.5.247 |
2010.03.29 |
TR/Dropper.Gen |
|
Antiy-AVL |
2.0.3.7 |
2010.03.29 |
– |
|
Authentium |
5.2.0.5 |
2010.03.29 |
– |
|
Avast |
4.8.1351.0 |
2010.03.29 |
– |
|
Avast5 |
5.0.332.0 |
2010.03.29 |
– |
|
AVG |
9.0.0.787 |
2010.03.29 |
– |
|
BitDefender |
7.2 |
2010.03.29 |
Trojan.Downloader.JMZC |
|
CAT-QuickHeal |
10.00 |
2010.03.29 |
– |
|
ClamAV |
0.96.0.0-git |
2010.03.29 |
– |
|
Comodo |
4426 |
2010.03.29 |
– |
|
DrWeb |
5.0.2.03220 |
2010.03.29 |
– |
|
eSafe |
7.0.17.0 |
2010.03.28 |
– |
|
eTrust-Vet |
35.2.7394 |
2010.03.29 |
– |
|
F-Prot |
4.5.1.85 |
2010.03.29 |
– |
|
F-Secure |
9.0.15370.0 |
2010.03.29 |
Trojan-Dropper:W32/Agent.DIQH |
|
Fortinet |
4.0.14.0 |
2010.03.29 |
– |
|
GData |
19 |
2010.03.29 |
Trojan.Downloader.JMZC |
|
Ikarus |
T3.1.1.80.0 |
2010.03.29 |
Trojan-Dropper |
|
Jiangmin |
13.0.900 |
2010.03.29 |
– |
|
K7AntiVirus |
7.10.1004 |
2010.03.22 |
– |
|
Kaspersky |
7.0.0.125 |
2010.03.29 |
– |
|
McAfee |
5934 |
2010.03.28 |
– |
|
McAfee+Artemis |
5934 |
2010.03.28 |
Artemis!60DF604563A1 |
|
McAfee-GW-Edition |
6.8.5 |
2010.03.29 |
Trojan.Dropper.Gen |
You must log in to post a comment.