WARNING: Worm dupes with fake Microsoft address !
#1
Hi!

You might be interested in this:

http://news.com.com/2100-1002-1007603.html

Got one in the mail today myself.



COPY OF THE NEWS
===================================================

Worm dupes with fake Microsoft address


By Matt Loney
Special to CNET News.com
May 19, 2003, 7:21 AM PT


A new mass-mailing e-mail worm, which feigns a Microsoft.com origin, is spreading rapidly. Antivirus vendors say it can also spread via a local area network and can install "spyware" on a victim's PC.
The Palyh, or Mankx, worm appears to come from support@microsoft.com, a forged address. It contains a file which, upon execution, self-propagates using e-mail addresses from files stored on the targeted system, but which can also spread to other Windows machines on a local area network (LAN). Although the file has a .pi or .pif extension, it is an .exe file. And because Windows processes files according to their internal structure rather than their extension, Windows runs the file as soon as the recipient double-clicks on it.

The worm appears to originate from the Netherlands, but more than 60 percent of e-mails containing it were originating from the United Kingdom early Monday, according to e-mail outsourcing firm MessageLabs. The U.K.-based company said its servers had stopped more than 34,000 copies of the worm as of Monday, with a peak infection rate that climbed to one Palyh worm in every 264 e-mails.



The United States is the second most active country for the worm, with a 6 percent share of infected e-mails, although antivirus experts expect this number to climb as the U.S. workday begins.

"The U.K. is the worst hit now," said Mark Toshak, virus analyst at MessageLabs. "We expect to see that change at (7 a.m. PDT) when people in the U.S. go into work and open their e-mails. It's Monday morning, and they might not have seen a warning or had a chance to update their antivirus packages. This virus does pretend that it's from support@microsoft.com. And nine times out of 10, people will click on this."

Palyh can gain access to targeted computers as an attached file or by writing itself to systems via a LAN, said antivirus software company Kaspersky Labs. The worm copies itself into the Windows directory under the name "MSCCN32.exe" and registers this file in the system registry's auto-run key so that it is placed into system memory and is automatically launched when the system boots. However, due to certain errors in its code, sometimes Palyh copies itself into a different directory and therefore occasionally the auto-run function is not triggered.

When the worm copies itself correctly, according to Kaspersky's bulletin on the worm, it begins its spreading routine. "To do so via e-mail, Palyh scans for files with the extensions txt, eml, html, htm, dbx, wab, and selects lines from them that it believes to be e-mail addresses," the Russia-based company said. "Then Palyh circumvents the installed e-mail program to use the SMTP server to send out copies of itself to the found e-mail addresses." To spread over a LAN, Palyh copies itself to the Windows auto-run folders on other local machines.

Kaspersky said that while the worm itself is not dangerous, it has the ability to load additional components--which could cause harm--from a remote Web server. "By doing so, Palyh can clandestinely install new versions of itself or impregnate infected systems with spyware programs," Kaspersky said.

So-called spyware is software that can install itself on a PC without the user's consent. It might monitor Web browsing habits or record passwords, credit card information or other e-commerce data for the purpose of relaying the data to a third party.

Palyh's author built into the program a temporary trigger: All worm routines other than the updating feature are active only until May 31. This peculiarity effectively dooms Palyh, according to Kaspersky, "because the server from which it downloads its updates will be closed in the near future."

================================================
Reply
#2
Hail Flayer,

I got one of them today; I knew immediately it was a worm. Well, firstly I check all my emails for the telltale signs anyways, but even without having to look at them I knew it was fraudulent... why the heck would MicroSoft send any emails to an anti-MS, anti-closed software fanatic? Well, perhaps hate mail, but I've not recieved any of that yet ;)

It is a fairly standard spoofing of the sender's address, and seems to be a fairly standard worm on all counts: anyone who has a clue about such things would pick it immediately :)
May the wind pick up your heels and your sword strike true.
Reply
#3
I got one too. I deleted it as soon as I saw it. Even support@microsoft.com can't get me to open an unknown attachment :)
Reply
#4
Specifically, the joys of Pine. ^_^

I've caught several worms, and since Pine is text-only and doesn't execute anything, I just get to look at them and laugh. ^_^

-Kasreyn
--

"As for the future, your task is not to forsee it, but to enable it."

-Antoine de Saint-Exupéry

--

I have a LiveJournal now. - feel free to post or say hi.

AIM: LordKasreyn
YIM: apiphobicoddball
Reply
#5
Flayer Not Pound,May 20 2003, 12:03 PM Wrote:A new mass-mailing e-mail worm, which feigns a Microsoft.com origin, is spreading rapidly. Antivirus vendors say it can also spread via a local area network and can install "spyware" on a victim's PC.
The Palyh, or Mankx, worm appears to come from support@microsoft.com, a forged address. It contains a file which, upon execution, self-propagates using e-mail addresses from files stored on the targeted system, but which can also spread to other Windows machines on a local area network (LAN).
(Emphasis mine)

That's why the worm is not going to catch a glimpse of my hard drive even if it comes from god@heaven.com. Random executables block my cognitive abilities rendering me unable to open them ;)
Reply
#6
Quote:It is a fairly standard spoofing of the sender's address, and seems to be a fairly standard worm on all counts: anyone who has a clue about such things would pick it immediately

That's the scary part; for every 1 person who has a clue, most likely 9 people do not :)

Quote:And nine times out of 10, people will click on this

At least according to this guy. I wouldn't be surprised if true though.
Reply
#7
Flayer Not Pound,May 20 2003, 11:03 PM Wrote:This virus does pretend that it's from support@microsoft.com. And nine times out of 10, people will click on this."
:lol: ROFL! :lol:

OMG that's funny. :lol: Best laugh I've had in ages.

*ahem* Anyway. . .

"support@microsoft.com". Those two words . . . "support", "Microsoft". Oh wow. No comment necessary really. I was already thinking "WTF?" the moment I read the email address. :blink:

And 9 out of 10 open these things? :blink: Personally, if I see "Microsoft" in my mail there's a good chance I might even miss the subject line before the brain says, "spam" and the hand goes, "delete." :blink:
Heed the Song of Battle and Unsheath the Blades of War
Reply
#8
Haven't we learned that opening file attatachments from unknown people is bad?
With great power comes the great need to blame other people.
Guild Wars 2: (ArchonWing.9480) 
Battle.net (ArchonWing.1480)
Reply
#9
It is a an email from a site named "www.ladieslookingforlove.com", but what is strange is that I keep going to unsubscribe, and everytime it gives me some bogus error message, and the email address is different every time, even though it is the same text, much like the article about spam in todays NYTimes. But I checked my cookies, and I could find nothing under that host-name. I deleted all my cookies just to be safe though. I'll look for a link to the article and post it later, or someone can put it up if they have it handy!
WWBBD?
Reply
#10
Yrrrek, I suggest getting Adware, it could be you have some backdoor or something.
"Turn the key deftly in the oiled wards, and seal the hushed casket of my soul" - John Keats, "To Sleep"
Reply
#11
You mean ad-aware? :)
Well, I don't know. Ad-aware has been buggy for quite a while. They haven't really got it down that well. I'd recomond spybot s&d for now. :P

housecall.antivirus.com
Of course this site is useful too.
With great power comes the great need to blame other people.
Guild Wars 2: (ArchonWing.9480) 
Battle.net (ArchonWing.1480)
Reply
#12
Unfortunately, once you're on some of those mailing lists, there's no way off.
The trick is not to get on them in the first place. ;)

1.) Forget "Unsubcribe" and those sites that give you a form to allegedly remove your address from their list. Those are dirty tricks they pull to confirm your email address exists. NEVER use them.

"Unsubscribe" is something you reserve for taking your name of a legitimate mailing list you actually signed on for . . . unless you've signed up for pr0n in which case you goofed.

2.) Find out how your email client does sender blocking. I use Hotmail a lot and can abandon it if the spam gets bad, but even so I take full advantage of the custom filters and block sender list. For Outlook users: Tools > Message Rules > Block Sender List. In the case of my Hotmail account I even block entire domains that have proven troublesome.

3.) Be careful where you leave your email address! Just like there are bots roaming the net on behalf of search engines taking note of key words in websites, there are also bots roaming the net on behalf of spammers looking for email addresses to add to the collection. :angry: You can have unquestioning faith in various sites' "robots.txt" file if you like, but personally I prefer to consider if my email address is necessary for every instance where a site asks for one. Signing up for Lurker Lounge? Yes. Signing up for a petition? No thanks. ;)
Heed the Song of Battle and Unsheath the Blades of War
Reply
#13
I get similar messages. In my Yahoo! mailbox.

And I have Ad-Aware. And others. And I use them around once a week. And I run a software firewall. And I'm the only one who uses this computer. And it's password-protected to get into. :P

So, while that's a possibility for perhaps *another* case, this problem is all too common, and is pure spam. I haven't found a way to stop it other than by filters.

My question is: How do these things FIND these e-mail addresses to send the spam to if they're never advertised? I.e. my web-host e-mail address(es), or my ISP address. Are they selling my address somewhere?

The very first day I had my ISP e-mail address, I was already getting spam. :P Methinks we've reached a new age: one where computers just put together random letters / numbers in the vain hope of finding an e-mail address. Given today's technology, it could work quite well. :P
Roland *The Gunslinger*
Reply
#14
Roland,May 21 2003, 12:49 PM Wrote:And I have Ad-Aware. And others. And I use them around once a week. And I run a software firewall. And I'm the only one who uses this computer. And it's password-protected to get into. :P

So, while that's a possibility for perhaps *another* case, this problem is all too common, and is pure spam. I haven't found a way to stop it other than by filters.
Ad aware is a start, but only tackles local files that act as a beacon. There are other ways your email address can get out there. Filters and common sense are good defences.

Quote:My question is: How do these things FIND these e-mail addresses to send the spam to if they're never advertised? I.e. my web-host e-mail address(es), or my ISP address. Are they selling my address somewhere?

Sometimes email address lists are shared by parties you'd rather not know about. There's not much you can do about that aside from being prudent in determining how much you release your address t the world. Then set the filters. ;)

Bots pretty much exactly like the google search engine also roam the net and collect email addresses from sites.

Any web page anywhere with your email address displayed is a potential threat. When I'm building a site for my own use I generally try to restrict contact email addresses to a single page and actually go a step further in encrypting that one page. The text on the document that people read, says Email me (or similar) rather than actually displaying the adress and also the meta tags/robots.txt holds information that prevents conforming bots from caching the page. Even all that is not foolproof

Quote:The very first day I had my ISP e-mail address, I was already getting spam. :P Methinks we've reached a new age: one where computers just put together random letters / numbers in the vain hope of finding an e-mail address. Given today's technology, it could work quite well. :P

True. I have recieved such emails in the past. A hidous list of random addresses CC'd to hundreds. The body of the mail contained a link to a page where you could 'unsubscribe' thus actually submitting your email address to a spammer.

Lamest of the lame. <_<
Heed the Song of Battle and Unsheath the Blades of War
Reply
#15
Walkiry,May 21 2003, 01:26 AM Wrote:That's why the worm is not going to catch a glimpse of my hard drive even if it comes from god@heaven.com.
Shouldn't that be god@heaven.org? ;)
Reply
#16
Archon_Wing,May 21 2003, 09:27 AM Wrote:Haven't we learned that opening file attatachments from unknown people is bad?
Haven't people learnt that running microsoft files is bad? ;)
Reply
#17
WarBlade,May 21 2003, 02:34 PM Wrote:The text on the document that people read, says Email me (or similar) rather than actually displaying the adress
Well, that doesn't stop my bot (for finding I.T. business emails)... it checks the entire page for email addresses (with preferences to various keywords being near the email address so that I only send one email per site)

The sites that I can't get emails for are those 'large corps' that have the submit pages (e.g. Hewlett Packard IIRC)
Reply
#18
whyBish,May 21 2003, 05:15 PM Wrote:Well, that doesn't stop my bot (for finding I.T. business emails)... it checks the entire page for email addresses (with preferences to various keywords being near the email address so that I only send one email per site)

The sites that I can't get emails for are those 'large corps' that have the submit pages (e.g. Hewlett Packard IIRC)
Heh. Fortunately that's only the last part of the equation and considering the email addresses can be grabbed just by clicking on them, it's not exactly something I do as a primary defence.

An email address in the source of one of my pages actually looks like this: %6da%69l%74o:%64a%6eish%2en%7a@%78tra%2eco.%6ez ;)
Heed the Song of Battle and Unsheath the Blades of War
Reply
#19
I won't decode it for you since you want to keep it safe, but I also use the module I made for my web browser which automatically converts these. I had made that a long time ago since hotmail uses redirects when you get emails with hyperlinks in them, so I do a strip of the hotmail redirect and convert the ascii chars.
Reply


Forum Jump:


Users browsing this thread: 4 Guest(s)