Odd spam

[dra007]

This is an odd spam anouncing that they cashed my $9000 check and asking me to open the attachment.

Hope someone can tell me what virus or exploit these idiots attached to this e-mail.

http://www.spamcop.net/sc?id=z212642769...ffb9a60e28a185z

They are really getting desperate with such e-mails, sending me a few dozens daily almost as if they want to force their way into my computer. Extremely annoying. Anything I can do about such threatening e-mails?

PS. I checked the mortgage company mentioned in the e-mail and it seems legit, I hope that company would be interested to know someone is sending viruses in their name. They dont have an e-mail or web-submission form on their contact page.

Moderator Edit: changed 'mailsc' to 'www' to allow others to actually use the Tracking URL.

[dra007]

Thanks for the edit Wazoo...wasn't aware that was a problem.

Update: I called the mortgage company, they don't correspond by e-mail. They don't care about me getting it in the name of their company either. Apparently if something like this happened for real I should have had to contact my bank and not them, interesting logic. No wander spammers are so non-chalant about committing crimes.

[Lking]

They don't care about me getting it in the name of their company either.

On the other hand what could they do? No money was (could be) moved from your account or to one of theirs. (The spammer is not going to uses your money to DIRECTLY pay his mortgage)

The $$ amount seems to be random. I got two of these spam today. One for $8151 and the other for $8033.

The beat goes on.

[dra007]

Did you figure out if the attachment was an exploit or a virus? If this is simply a phisher it is sure going to annoy any reciever. If it is an exploit the annoyance is meant as a bait? I just cant fathom the logic of these imbecils....

[Farelf]

Did you figure out if the attachment was an exploit or a virus?...

Inconclusive - the attachment was truncated before it got to the parser. If SC truncated it, there would be a note. If it wasn't truncated the final mime boundary declaration would be present, which it's not. Even in text form some of the virus scanners would probably rate the complete thing but in this truncated form only Kapersky raises a tentative alarm - http://www.virustotal.com/analisis/3b644b8...17cb72dbbac718a

... If this is simply a phisher it is sure going to annoy any reciever. If it is an exploit the annoyance is meant as a bait? I just cant fathom the logic of these imbecils....

They don't necessarily aim to be fathomable and I am reasonably sure you don't share their demographic in terms of life skills, social success and intellect . Any mystery attachment from someone pretending to be someone else is (logically) either a virus/trojan loader or a failed attempt at same. But who would know? Things are chaotic at the transaction level.

[Farelf]

I finaly got one in a 'similar' genre http://www.spamcop.net/sc?id=z2130254327za...92c933495869ddz and submitted the attachment for analysis in its original form:

http://www.virustotal.com/analisis/bed460e...1ceb31eb515697b

Sure enough, W32/ZbotE.A[at]en aka Trojan.Wsnpoem etc.

They merely want to assimilate our computers, steal our bandwidth, grow fabulously wealthy without working and surround themselves with readily available females and fine food. Pretty much a biological imperative for any plant or animal - though in this case their elevation to the higher taxa should not be assumed.

[dra007]

So lets just hope they all end up in jail, where they get free food and free sex, and for the benefit of our own specie, not the kind they want.

[Farelf]

So lets just hope they all end up in jail, where they get free food and free sex, and for the benefit of our own specie, not the kind they want.

A pleasant thought, allow me then to add to the specification "whilst forgoing personal hygiene." which I had omitted for fear of slandering the entire animal kingdom (or of making it all sound too tempting to some of our members).

[dra007]

OK, I found a few more of these trapped in my postini virus filter for:

X-Pstnvirus: AUTH-W32/ZbotP.E

more research says:

W32.Zotob.E is a worm that opens a back door and exploits the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039) on TCP port 445.

Notes:

It has been reported that computers targeted by W32.Zotob.E may become unstable during execution of the exploit code. This may result in the termination of the services.exe process, which causes the targeted computer to shutdown.

/snip

While computers running Windows 95/98/Me/NT4/XP operating systems cannot be infected remotely, it is possible they could be infected if W32.Zotob.E is executed locally (although this is an unlikely occurrence). Vulnerable Windows 2000 computers could then be infected by the compromised computer.

looks like an old virus designed at demaging/disrupting but not at stealing information. So I have to ask again, for what purpose other than anoyance..

Sometimes it pays to do a little more research, it can take over our machines as first suspected:

Attempts to detect network connections and a routable IP address. The worm may fail to operate correctly if it determines it is not connected to a network or if the computer's IP address is non-routable.

Attempts to connect to the IRC server 72.20.27.115 on TCP port 8080 to listen for the following commands:

Download and execute remote files

Terminate the worm and delete the file from the compromised computer

Opens UDP port 69 to initiate TFTP.

Sends packets to IP addresses generated at random based on the IP address of the compromised computer. The IP addresses generated use the first 2 octets of the compromised computer, and randomly generated values for the third and fourth octets. The worm will begin to generate entirely random IP addresses after 32 failures on local IPs or after 512 failures, if it was successful at least once.

Moderator Edit: removed excess vertical whitespace.