Author Topic: Spoofed email from N-I  (Read 11810 times)

0 Members and 1 Guest are viewing this topic.

Offline Die Hard

  • LzD Fallen Heroes
  • Hero Member
  • *****
  • Posts: 971
  • The Northern Berserk
    • View Profile
Spoofed email from N-I
« on: August 16, 2005, 04:17:48 PM »
I had a mail today with sender "Net-Integration Forums" containing this message:

Quote
   
    Protect Your PC !!!
 
Please download antivirus protection
http://antivirusprotection.pisem.net/avp.exe
     



Of course I thought of nuking it right away until I saw the sender, then I looked at the header and saw "eagle1´s" name:

Quote
   
    Return-Path: <eagle1@peace.emfc.com>
Received: from peace.emfc.com ([67.43.1.57]) by amsfep15-int.chello.nl
          (InterMail vM.6.01.04.04 201-2131-118-104-20050224) with ESMTP
          id <20050816141953.FTJX10024.amsfep15-int.chello.nl@peace.emfc.com>;
          Tue, 16 Aug 2005 16:19:53 +0200
Received: from eagle1 by peace.emfc.com with local (Exim 4.44)
   id 1E51be-00008z-7o; Tue, 16 Aug 2005 09:35:54 -0400
To: webmaster@net-integration.net
Subject: Protect Your PC !!! ( From Net-Integration Forums )
From: "Net-Integration Forums" <webmaster@net-integration.net>
X-Priority: 3
X-Mailer: IPB PHP Mailer
Message-Id: <E1E51be-00008z-7o@peace.emfc.com>
Sender:  <eagle1@peace.emfc.com>
Date: Tue, 16 Aug 2005 09:35:54 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - peace.emfc.com
X-AntiAbuse: Original Domain - chello.se
X-AntiAbuse: Originator/Caller UID/GID - [32004 32009] / [47 12]
X-AntiAbuse: Sender Address Domain - peace.emfc.com
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php admin.php
X-Source-Dir: net-integration.net:/public_html/forums
X-Antivirus: AVG for E-mail 7.0.338 [267.10.10]
Content-Type:


When following the link http://antivirusprotection.pisem.net/avp.exe in the mail a file called avp.exe is downloaded .
I scanned on jotti´s and this came forward:


Quote
   
   Status:  INFIZIERT/MALWARE (Anmerkung: diese Datei wurde bereits vorher gescannt. Die Scanergebnisse werden daher nicht in der Datenbank gespeichert.) 
Entdeckte Packprogramme:  FSG
   
AntiVir  Keine Viren gefunden
ArcaVir  Keine Viren gefunden
Avast  Keine Viren gefunden
AVG Antivirus  Keine Viren gefunden
BitDefender  Dropped:Trojan.Small.AL gefunden 
ClamAV  Trojan.LdPinch-34 gefunden 
Dr.Web  Trojan.PWS.LDPinch.400 gefunden 
F-Prot Antivirus  unknown virus gefunden (mögliche Variante) 
Fortinet  Keine Viren gefunden
Kaspersky Anti-Virus  Trojan-PSW.Win32.LdPinch.gen gefunden 
NOD32  a variant of Win32/PSW.LdPinch gefunden 
Norman Virus Control  Keine Viren gefunden
UNA  Keine Viren gefunden
VBA32  Trojan.LdPinch.27 gefunden (mögliche Variante)

Die Hard  :)
I create and edit my posts in GS-NOTES

Offline Jason

  • Sr. Member
  • ****
  • Posts: 321
  • The Onomatopoetic
    • View Profile
Net-Integration website unavailable and puzzling mails received?
« Reply #1 on: August 16, 2005, 04:24:29 PM »
Does anybody know why the URL for Net-Integration http://forums.net-integration.net/index.php? show up as http://peace.emfc.com/suspended.page/? with the text: "This Account Has Been Temporarily Suspended for Security Purposes" :?:

Another rather strange thing is that I've just got three different e-mails, to the same account and with the same message supposed to be from Net-Integration.
When I compare the e-mail headers with earlier legitimate e-mails from Net-Integration all seems to be correct.
What puzzles me is that these e-mails has a directlink to an executable? :chair:

Below is the full text content of these mails but I've removed the beginning of the URL so nobody in here picks anything up by mistake:

Protect Your PC !!!

Please download antivirus protection
(see notes in red above) antivirusprotection.pisem.net/avp.exe

End of message in mail...


Regards
Jason :wink:
In a perfect world, spammers would get caught, go to jail, and share a cell with many men who have enlarged something, taken Viagra and are looking for a new relationship.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19600
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Spoofed email from N-I
« Reply #2 on: August 16, 2005, 04:29:08 PM »
This is what I got at N-I just now:

This Account Has Been Temporarily Suspended for Security Purposes
Please forgive the inconvenience.

I had been logged in earlier today.  Darn dirty hacker.  Eagle1 has enough to deal with righ now & certainly doesn't need this. 

{{{Hugs, Tashi!!!}}}


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Jason

  • Sr. Member
  • ****
  • Posts: 321
  • The Onomatopoetic
    • View Profile
Re: Net-Integration website unavailable and puzzling mails received?
« Reply #3 on: August 16, 2005, 04:31:50 PM »
I've just noticed Die Hards posting here http://www.landzdown.com/index.php/topic,1181.msg6454.html#msg6454 so perhaps a moderator could place these postings in the same thread. :D

Jason :wink:
In a perfect world, spammers would get caught, go to jail, and share a cell with many men who have enlarged something, taken Viagra and are looking for a new relationship.

Offline roddy32

  • LzD Fallen Heroes
  • Hero Member
  • *****
  • Posts: 1075
    • View Profile
Re: Spoofed email from N-I
« Reply #4 on: August 16, 2005, 04:42:38 PM »
I was just coming to post this but I see you guys already got it. I was there early this morning myself for a minutes but suprisingly I have not received the e-mail as of yet.
Thanks DieHard
Microsoft MVP Consumer Security 2006 - 2012

Log'N'Rock Computer Security


Offline Die Hard

  • LzD Fallen Heroes
  • Hero Member
  • *****
  • Posts: 971
  • The Northern Berserk
    • View Profile
Re: Spoofed email from N-I
« Reply #5 on: August 16, 2005, 10:29:58 PM »
The Netintegration Forum was hacked:

http://www.broadbandreports.com/forum/remark,14145402

Die Hard :)
I create and edit my posts in GS-NOTES

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19600
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Spoofed email from N-I
« Reply #6 on: August 16, 2005, 10:54:53 PM »
I expect SWI is providing whatever backup assistance they can, but I wish there were something we could do to help.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19600
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Spoofed email from N-I
« Reply #7 on: August 16, 2005, 11:13:44 PM »
I've learned that the ISP for the site distributing the virus has been contacted and they are on it. The N-I server is not shut down but the logfiles are being examined.  Temporary forums will be up & running ASAP.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19600
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Spoofed email from N-I
« Reply #8 on: August 17, 2005, 12:01:19 AM »
N-I is back up:  http://forums.net-integration.net/index.php?showtopic=32730

Quote from: Eagle1
Net-Integration is not sending any spam but only appears to be doing so. The net-integration domain account account was disabled for the majority of the day while the source of the spamming was sought. The ISP (http://pisem.net) that is hosting malware was notified several hours ago and they have not done anything about it so far.

Logs are being reviewed to determine if source can be identified. Will keep posted.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline mitch

  • Hero Member
  • *****
  • Posts: 729
    • View Profile
Re: Spoofed email from N-I
« Reply #9 on: August 17, 2005, 12:31:17 AM »
i got it on my hotmail account
i read in text only and did not click the attachment

but for insurance i scanned with all the anti-crap i have


does anyone know what will see it for sure? or a online scanner that will see it?(free)

i have that warm fuzzy feeling, but would like to say for sure i know i don't have it so i can sleep well

with k you have to submit a file so that is no good and all are deleted here

ya they got a lot of folks with the spoofed address i think !
anyone else and i would have just deleted

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19600
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Spoofed email from N-I
« Reply #10 on: August 17, 2005, 01:24:56 AM »
I understand Trojan Hunter detects it and it has been submitted to all those on the standard "lists" to get updates. 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Die Hard

  • LzD Fallen Heroes
  • Hero Member
  • *****
  • Posts: 971
  • The Northern Berserk
    • View Profile
Re: Spoofed email from N-I
« Reply #11 on: August 17, 2005, 03:03:17 AM »
mitch :)

 In my first post in the thread, you will see what AV:s detectng it, and what they call it.

Die Hard :)
I create and edit my posts in GS-NOTES