Jump to content
Dilbertic

On going virus JS/TrojanDownloader.Nemucod.LP trojan

Recommended Posts

For months now this spammer keeps sending me an invoice style email with an attachment that contails virus JS/TrojanDownloader.Nemucod.LP trojan. My virus program always deletes it, but my question is why is spamcop not detecting the virus and more so forged sender?

Dil

Share this post


Link to post
Share on other sites

I take it that you have reported the emails? If so, a tracking link might be useful for help us troubleshoot.

As for the forged sender, the "From" header is notoriously unreliable as a clue to the true origin of an offending email. It is been a while since I've run my own email server, but one of the tests for suspicious emails I used for a while was to see if the From address matched the To address, on the assumption that sending an email to myself was unlikely.

Share this post


Link to post
Share on other sites

For months now this spammer keeps sending me an invoice style email with an attachment that contails virus JS/TrojanDownloader.Nemucod.LP trojan. My virus program always deletes it, but my question is why is spamcop not detecting the virus and more so forged sender?

Dil

When SpamCop first started forwarding email CisCo filtered it with Senderbase filtering for 12 months.

This filtering has now ceased. but still forwards without filtering.

Reporting does shut spammers down.

Add to notes it contains virus attachment.

I forward to Gmail which effectively separates "spam from ham" and tell you if they detect a virus (even when zipped)

Share this post


Link to post
Share on other sites

Wasn't sure which link you needed, since I posted this I am now getting 2 or 3 a day... Here is a copy to one of the past reports:

Share this post


Link to post
Share on other sites

As noted in several places, the Report ID, you included, is only visible to you as the reporter.

You should have included the TRACKING URL, that is listed at the top of the screen after the spam has been processed.

SpamCop v 4.8.3 © 2016 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6223651099z24aec3a1a171a7531dd9af87bfae28eaz

Share this post


Link to post
Share on other sites

Sorry about that, i got about 10 of them today and another 3 now after I reported the 1st ones, seem to get more after I report them I have been cc'ing Report Malware and vulnerabilities to DHS by e-mail at cert[at]cert.org and soc[at]us-cert.gov.

https://www.spamcop.net/sc?id=z6225216524zd52e9f783eb50087d1edf424d9afee24z

https://www.spamcop.net/sc?id=z6225217422z65ad432db9248c160700f6b1f52cbfcfz

https://www.spamcop.net/sc?id=z6225217624z6ad6d023f15fe8e85da18286b65ff988z

Guess the spammer is on a mission to send out this malware to me

Edited by Dilbertic

Share this post


Link to post
Share on other sites

Sorry about that, i got about 10 of them today and another 3 now after I reported the 1st ones, seem to get more after I report them I have been cc'ing Report Malware and vulnerabilities to DHS by e-mail at cert[at]cert.org and soc[at]us-cert.gov.

https://www.spamcop.net/sc?id=z6225216524zd52e9f783eb50087d1edf424d9afee24z

https://www.spamcop.net/sc?id=z6225217422z65ad432db9248c160700f6b1f52cbfcfz

https://www.spamcop.net/sc?id=z6225217624z6ad6d023f15fe8e85da18286b65ff988z

Guess the spammer is on a mission to send out this malware to me

Thats all you can do

115.99.249.190 was sent to wrong address should be abuse[at]hathway.com INCIDENT[at]cert-in.org.in

https://www.spamcop.net/sc?id=z6225217624z6ad6d023f15fe8e85da18286b65ff988z

This IP is infected (or NATting for a computer that is infected) with the kelihos spambot.

last detected at 2016-03-29 17:00 GMT (+/- 30 minutes), approximately 9 hours ago.

Share this post


Link to post
Share on other sites

Thanks for the info, just think it's funny everytime I report it, I get 2 or 3 more, I only used to get 1 a day now I am up to 9 or 10 a day that I am reporting them....

Share this post


Link to post
Share on other sites

Thanks for the info, just think it's funny everytime I report it, I get 2 or 3 more, I only used to get 1 a day now I am up to 9 or 10 a day that I am reporting them....

I'm in the same boat as you. I started receiving occasional emails back in late December and it has really picked up in intensity during the month of March. The subject is always something about Package Received, Order Delay, Unpaid Invoice, and the most creative one was something about a traffic camera picking me up in violation. Each email up until today has had an attached zip file. Now they're sending RAR files. I've been reporting these things as fast as they come in but it doesn't seem to help and I share your observation that it seems that the more I report the more I receive. I've also been forwarding this stuff to phishing-report[at]us-cert.gov. I really hope this gets resolved soon. It's frustrating.

Share this post


Link to post
Share on other sites

I'm in the same boat as you. I started receiving occasional emails back in late December and it has really picked up in intensity during the month of March. The subject is always something about Package Received, Order Delay, Unpaid Invoice, and the most creative one was something about a traffic camera picking me up in violation. Each email up until today has had an attached zip file. Now they're sending RAR files. I've been reporting these things as fast as they come in but it doesn't seem to help and I share your observation that it seems that the more I report the more I receive. I've also been forwarding this stuff to phishing-report[at]us-cert.gov. I really hope this gets resolved soon. It's frustrating.

Botnets tend to do this as more people create zombie/Botnet computers by opening attachments/clicking links the more they repeat sending the spam to you.

Depending how bad your email provider is, a Windows Program Mailwasher allows you to check for spam and report it

zen.spamhaus.org. is the better blocklist to use Mailwasher just alerts you and you can easily report and delete it from a POP server

Edited by petzl

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×