New Storm worm - 4th of July subject lines

Discuss various technical topics not related to Mozilla.
Post Reply
old Harry Waldron
Moderator
Posts: 0
Joined: December 31st, 1969, 5:00 pm

New Storm worm - 4th of July subject lines

Post by old Harry Waldron »

These may be in our spam filters or in-box soon:

Image Another new variant of the Storm worm to avoid:

New Storm worm -- 4th of July subject lines
http://isc.sans.org/diary.html?storyid=3090

EMAIL SUBJECT LINES TO AVOID:
Celebrate Your Independence
Independence Day At The Park
Fourth of July Party
American Pride, On The 4th
God Bless America
Happy B-Day USA
July 4th Family Day
Your Nations Birthday
July 4th B-B-Q Party
Happy 4th July
4th Of July Celebration
Fireworks on the 4th
Happy Birthday America
Independence Day Celebration
Celebrate Your Nation
Americas B-Day
America's 231 Birthday
User avatar
BenoitRen
Posts: 5946
Joined: April 11th, 2004, 10:20 am
Location: Belgium

Post by BenoitRen »

Happy 4th July

Spotted this one while my e-mail was downloading. It was automatically moved to Junk. :D

I seem to be catching the recent trends recently. I wonder why.
old Harry Waldron
Moderator
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post by old Harry Waldron »

An example that has been made safe from the inbox ... Please be careful out there :)

Code: Select all

From:   "greet2k.com" 
To:   harry
Subject:   Fireworks on The 4th
Date:   Wed, 4 Jul 2007 20:44:42 +0900

Hi. School-mate has sent you an ecard. See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your card's direct www address below while you are connected to the Internet:

http://[NUMERIC IP ADDRESS REMOVED FOR SAFETY]/?076a3db573383e1a7a85955 

Or copy and paste it into your browser's "Location" box (where Internet addresses go).
     


PRIVACY
greet2k.com honors your privacy. Our home page and Card Pick Up have links to our Privacy Policy.

TERMS OF USE
By accessing your card you agree we have no liability. If you don't know the person sending the card or don't wish to see the card, please disregard this Announcement.

We hope you enjoy your awesome card.

Wishing you the best,
Mailer-Daemon,
greet2k.com
User avatar
Eyes-Only
Posts: 1354
Joined: May 18th, 2003, 9:59 am
Location: La Confédération Abènaquaise

Post by Eyes-Only »

I got two of the above today Harry and Benoit but can't exactly recall their names, and then two of the old Storm variants. What I've taken to doing is disabling the auto-downloading of all my emails from all accounts and programmes and where I use KDE on Linux I've installed the programme KShowmail. This allows me to see what's on my server at a pre-determined time (set by me) and gives me as much info as I want of the letter. Usually just the address, subject line, and size suffices for me. Then I can use "Ctrl + mouse-click" to select what I want to delete, press the "delete button", and the rest is history. :) All without downloading at that.

There are likewise several Windows programmes that do the same thing. I used one for years and do you think I could recall its name now? Of course not! -sigh- :( They had a free version that covered one account, and a paid version for around $20 I think that did everything you could've imagined---plus the kitchen sink---and was worth every penny.

I really recommend programmes like that regardless of whether or not you've got an OS that can be infected or not because of how you can cut down on the spam and whatnot server-side before downloading it just to make 100% sure you don't give back a valid address to these places.

Thanks for all of your warnings here Harry. It's not only the folks running Windows who appreciate them I hope you know? Many of us who run Linux like to be in the know about such things as well! Many is the time when I've directed my Window's friends to your site in the nick of time to save their butts. No joke. Just saying "thanks" seems an empty platitude. If you're ever in my area I owe you a Guinness. Make it a six pack. ;)

Amicalement,

Eyes-Only
"L'Peau-Rouge"
--
"We never know just how much a kind word, or a gesture, will lift the spirits of a person in need and heal them." KDpup-484, LucidPup-511, SM2+/FX4+/TB31+
User avatar
BenoitRen
Posts: 5946
Joined: April 11th, 2004, 10:20 am
Location: Belgium

Post by BenoitRen »

I've spotted a "download headers only" option in SeaMonkey before, but I never tried it.
User avatar
Eyes-Only
Posts: 1354
Joined: May 18th, 2003, 9:59 am
Location: La Confédération Abènaquaise

Post by Eyes-Only »

Nor have I as I'm not sure whether or not you can delete that way or not. That was the one thing I really liked about "Becky!" emailer is that I could check the email on the server, delete that which I did not want, then download the rest. I think FoxMail has the same feature but Becky! likewise had the auto-backup feature which we now have in "SeaMail" and TBird.

I really wished that both SeaMail/TBird would incorporate this feature though, maybe in a XUL-drawn window where one might "see" that which is on the server and therefore delete unwanted messages, etc. I've seen it asked for time after time in the forums for both products just obviously not enough times. :(

Amicalement,

Eyes-Only
"L'Peau-Rouge"
--
"We never know just how much a kind word, or a gesture, will lift the spirits of a person in need and heal them." KDpup-484, LucidPup-511, SM2+/FX4+/TB31+
User avatar
couldabeen
Posts: 6729
Joined: September 9th, 2003, 11:24 am
Location: I'm Right Here

Post by couldabeen »

My Thunderbird is set up to delete emails if they are not from someone in my address book. I know, I could get a valid email from an 'unknown' user, but so far that hasn't happened.
old Harry Waldron
Moderator
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post by old Harry Waldron »

AV vendors are starting to post updated virus signature information as follows:

F-Secure - HTML Postcards.N Information
http://www.f-secure.com/v-descs/trojan_ ... ds_n.shtml

QUOTE: Files that are detected as HTML/Postcard.N@troj are EML files that state that the recipient has received a greeting card from a friend, relative, or classmate. The recipient is encouraged to click on a link or to visit a website and enter their eCard number to view the message. When the user click this link, another page will appear stating that a new browser feature is currently being tested. The recipient is asked to click another link pointing to a file, usually named ECARD.EXE. We are detecting these files as Email-Worm.Win32.Zhelatin.


Trend - NUWAR.GU Information
http://www.trendmicro.com/vinfo/virusen ... NUWAR%2EGU

Trend - NUWAR.GU Behavioral Diagram
http://www.trendmicro.com/vinfo/images/ ... _GU_BD.gif

QUOTE: This worm propagates via email. On spammed email messages purporting to be electronic greeting cards (eCards) sent by contacts known to a target user, it includes a link where a malicious JavaScript detected by Trend Micro as JS_DLOADER.NUF is hosted. The said eCards supposedly come from legitimate eCard Web sites. It gathers target email addresses from files with the certain file name extensions. It uses its own Simple Mail Transfer Protocol (SMTP) engine to send the email message. Having its own SMTP engine allows it to send messages without using any mailing application, such as Microsoft Outlook. This worm also injects a TCP/IP device driver so as to hide its network activities. In addition, it injects itself to a legitimate process to hide its malicious activities such as its email propagation routine.
Post Reply