Full circle for a Phishing Virus

[Lking]

In response to the following Phishing spam Confirm your details! I received the following from the abuse[at]retail.telecomitalia.it.

Antigen for SMTP found Body of Message infected with HTML/Phishbank.BZS virus.

The file is currently Removed. The message, "[spamCop (87.1.84.92) id:2702965566]Confirm your details! <message ref: 7<7-15>>", was

sent from Lou and was discovered in SMTP Messages\Inbound

located at Telecom Italia S.p.a/PTPMXC007RM001.

Been getting a few of this CitiBank Phish bate the last 2-3 days. Norton doesn't catch it coming or going from my PC. SpamCop doesn't stop it either. Only the spammer's ISP's incoming SMTP sees it.

Took a quick look but didn't see it on CastleCops web either. A quick Google indicates that the risk is low, guess I'm just "luckily"!

[Wazoo]

Quick glance/scan through your sampled spam doesn't show any signs of anything that should/would run on its own. On the other hand, no idea what all that hidden code would provide to a scripting engine that's probablty on the referenced URL, just waiting for the clickee to arrive with an unsecure browser. Point being that there's not a virus/trojan existing within the e-mail, only code that may be involved with an exploit that needs the user's complicity to get loaded/activated (i.e. blindly clicking on the link provided with an exploitable browser)

[Farelf]

The the 76yt.tw domain is written up in SiteAdvisor simply as a phishing site - http://www.siteadvisor.com/sites/76yt.tw/summary/ - with Pishtank references supplied by a reporter, this .tw evidently being a persistent offender and thus far immune to any consequence of its criminal involvement. LinkScanner online will merrily give the full link the all-clear and offer to redirect to the site, complete with code(!). On a text file rendition of the message content, VirusTotal only records phishing heuristics recognition by eTrust-Vet, add ClamAV if the headers are included - http://www.virustotal.com/resultado.html?5...58b22962fda42c8

So, whatever subtlety was recognized by Antigen for SMTP is not seen more generally which is possibly a consequence of deeper processing, the possibility mentioned by Wazoo, or maybe just admirable paranoia on Antigen's part. In any event it is reasonable to assume you are unscathed if you don't click the link. Which of course is the invariable rule.