Farelf Posted April 25, 2007 Share Posted April 25, 2007 The subject was Worm detected! and sure enough, as advertized, a worm was enclosed (in removal-77320.rar, truncated in the foregoing). Well, I thought it was worth a sardonic grin. Malicious worm detected! No, really! says Trend Micro - naming it (or a near relative) WORM_NUWAR.AOP. Of the 31 AV apps at Virus Total, only McAfee found anything (W32/Nuwar[at]MM!rar) in the base64 encoded form in which it was transmitted. NAV found nothing. "My" version, size and hashes: size: 68481 md5.: 7dc509c2785c7e28623c3f4a348f8907 sha1: e43c3c52a9e068261aa1317dfb68d1a96e6c886d Quite an unconvincing effort really - the little gif before the payload is in Courier font (faux plain text) with the following sage advice Dear Customer, Our robot has detected an abnormal activity from your IP adress on sending e-mails. Probably it is connected with the last epidemic of a worm which does not have official patches at the moment. We recommend you to install this patch to remove worm files and stop email sending, otherwise your account will be blocked. We archived the patch because the worm can modify unpacked exe files. You have to open archive file, enter password and run patch immediately. Password: top01 Customer Support Center Robot. Customer? Spelling? Grammar? I'm sure they'll get better. Then they just have to convice us to open files from people of whom we've never heard. And they imagine a good proportion of us would either not see the notice was an image or fail to recognize the significance if we did see. How lame. Yet some fall for it, apparently. Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.