[Full-Disclosure] Fake Virus Warnings From ISPs
From: Mike (mjcarter_at_ihug.co.nz)
To: <firstname.lastname@example.org> Date: Sun, 18 Jan 2004 13:28:19 +1300
Warning be careful with the links in this email.
Posted in the SANS diary by Johannes Ullrich:
A user submitted a fake e-mail, which is using the %01 MSIE bug to trick the
user into downloading a Trojan.
This appears to be bigger than Yahoo being faked. I recently received this
From: ihug.co.nz's Internet Virus Department
We have detected a possible computer virus on your computer, You must open
the details of the report within 24 hours our we will be forced to shut down
your internet service.
Please Click Below Then Press "open" To View The Report If you do not open
this report in 24 hours we will suspend your internet service If nothing
apears on your virus report please dis-regard this message
Click Here Now
Clicking on the link takes me to
http://dzmj6u1ziuzb4r3tzaj0zafl.euphoriaja.com/special2/ which redirects to
http://220.127.116.11/cgi-bin/page.cgi and attempts to download page.hta which
McAfee detects as VBS/Inor.
I've contacted my ISP and forwarded to them, I wonder how many other ISPs
are about to be flooded with calls.
Note the URL is changing, it was originally
http://18.104.22.168/cgi-bin/page.cgi which was shut down.
But is now residing at http://22.214.171.124/cgi-bin/page.cgi
inetnum: 126.96.36.199 - 188.8.131.52
descr: China Netcom Corp.
descr: New Telecommunication Carrier Based on IP Backbone
changed: email@example.com 20001011
changed: firstname.lastname@example.org 20020703
changed: email@example.com 20030212
status: ALLOCATED PORTABLE
Full-Disclosure - We believe in it.