Smallmo - CISRT Member

Fake Webshop Bestellung spams in Germany

Smallmo — Wed, 28 Feb 07 15:57:46 +0100

CISRT Lab received some spams about Webshop Bestellung tonight,and these spams are spreading in Germany now.German users should be careful of this kind of spams.

In the spams,there is a malicious web page which contained MS06-014 vulnerability.The spams are as the following:

=======
From: (as the following)
Angelita@tms-logistik.de
Nicholas@tms-logistik.de
Julius@tms-logistik.de
Lionel@tms-logistik.de

Subject: (as the following)
KD 86778 Webshop Bestellung 27.02.2007
KD 07843 Webshop Bestellung 27.02.2007
KD 79360 Webshop Bestellung 27.02.2007
KD 27822 Webshop Bestellung 27.02.2007

Body: (as the following)
Guten Tag,

Vielen Dank fur Ihre Bestellung!

Die von Ihnen bestellten Waren sind vollstandig am Lager und werden umgehend
durch die Logistikabteilung an Sie versandt.

(a link which contained a malicious url)

Um eine schnellstmogliche Bearbeitung Ihre Ruckfragen gewahrleisten zu
konnen,
bitten wir Sie bei Ruckfragen immer Ihre Kundennummer 86778 und
Belegnummer [3816712] anzugeben.

Vielen Dank

Mit freundlichem Grub

Eberhard Schmidt

TMS Logistik GmbH

Call Center:
tel (0180) 31 57 16 21 - 0,09 EUR/min aus dem dt. Festnetz/T-Com
fax (030) 90 16 - 29 19
web www.tms-logistik.de

Niederlassung Berlin
Albrechstrasse 117
D-01271 Berlin

----------------------------------------------------------------------------
------------------

Auf den Punkt gebracht - Ihre Vorteile als TMS Logistik Kunde
----------------------------------------------------------------------------
------------------

o 14 Tage Ruckgaberecht fur originalverpackte Neuware
o Beratung durch unsere Fachverkaufer
o Transparente Preisgestaltung und Verfugbarkeitsanzeige
o Rundumschutz durch optionales Servicepaket
o Kostenfreie Parkplatze
o Bequeme Zusendung durch uns oder DHL moglich
o Kostenfreier 80-seitiger Gesamtkatalog - auch per Post nach Hause

----------------------------------------------------------------------------
------------------

TMS Logistik - seit 12 Jahren erfolgreich in Berlin
----------------------------------------------------------------------------
------------------

=======

We got two different links in the spams:
h**p://tanknk.dothome.co.kr
h**p://bluerain.co.kr

In these links,they are include a malicious url which contained MS06-014 vulnerability:

When users click the link in these spams,a file named as "update.exe" will be downloaded. The size is 87,673 bytes,packed with FSG2.0,it's a new variant. Test it on Virustotal,the result:

The sample's information:
MD5: 83dc1e8e6deb85088a6a3cc29eb6558f
SHA1: 91122a1461917de318b914851ec840002d46d2b8

Update 17:35,March 1st,2007(GMT+0800):
The latest database of Kaspersky detects it as Trojan-Spy.Win32.BZub.ic

The OS of webserver down

Smallmo — Tue, 27 Feb 07 10:53:16 +0100

Our CISRT webserver has been downed for two days because the Operate System of webserver was damaged.The service provider is repairing new system now,but i don't know when the webserver can be repaired.So CISRT can't update new information about the latest malwares now.I hope it can be repaired as soon as possible.

Spams: Australia's Prime Minister

Smallmo — Wed, 21 Feb 07 13:00:40 +0100

Hello,everyone.Happy Chinese New year!
I haven't updated my weblog for a long time because i just finished enjoying my holidays.

CISRT Lab just released an alert for a new spam appoint to John Howard, Australia's Prime Minister two hours ago.

More details: Spams about Australia's Prime Minister

Happy Valentine's Day

Smallmo — Wed, 14 Feb 07 16:01:18 +0100

Happy Valentine's Day everyone.

But with Valentine Day coming,new variants of Email-Worm.Win32.Zhelatin and Email-Worm.Win32.Warezov come,too. CISRT Lab received Email-Worm.Win32.Zhelatin.ab and Email-Worm.Win32.Warezov.lc today.This Zhelatin variant uses the Valentine Day in mail subjects such as "Valentines Day Dance", "The Valentines Angel", "Valentine Letter", "Valentine’s Love", etc . Everyone should be careful!

More details: Valentine Day with Zhelatin and Warezov variants

Multiple Zhelatin variants

Smallmo — Sun, 11 Feb 07 12:02:05 +0100

These days,more Email-Worm.Win32.Zhelatin variants have been found. Kaspersky has given an alert for these variants.
CISRT Lab also has posted informations about Email-Worm.Win32.Zhelatin.t, Email-Worm.Win32.Zhelatin.u, Email-Worm.Win32.Zhelatin.x.
New variant begins spreading via Instant Messenger now.

More details,you can visit CISRT English weblog: http://www.cisrt.org/enblog/

Worm,trojan and ircbot

Smallmo — Wed, 07 Feb 07 17:10:00 +0100

CISRT Lab reports three malwares contained worm,trojan and ircbot today.They are Email-Worm.Win32.Zhelatin.r, Trojan-Downloader.Win32.Agent.bgd and Backdoor.Win32.IRCBot.yc.

Backdoor.Win32.IRCBot.yc is spreading via MSN in HongKong,Taiwan with "viotagallery.com" and "modelosunica.com" domains.

More details:
1. Zhelatin.r variant update

2. Top cigarettes offer trojan spam

3. Fake picture on MSN

Trojan-Downloader.Win32.Tibs variants

Smallmo — Tue, 06 Feb 07 16:40:59 +0100

CISRT Lab received some variants of Trojan-Downloader.Win32.Tibs family,they are similar to Email-Worm.Win32.Zhelatin family,also spreads via email,uses the filename as "Greeting_Postcard.exe","Greeting_Card.exe","greeting card.exe",etc.

More deteails:New sample like Zhelatin worm variant
Another Trojan-Downloader.Tibs variant

Email-Worm.Win32.Zhelatin.o

Smallmo — Sun, 04 Feb 07 15:10:09 +0100

CISRT Lab received new variant of Email-Worm.Win32.Zhelatin——Email-Worm.Win32.Zhelatin.o.

More details: Zhelatin.o variants come

Dolphin Stadium website hacked and Zhelatin.m worm

Smallmo — Sat, 03 Feb 07 15:34:19 +0100

Two messages from CISRT Lab:

One is that the official website of Dolphin Stadium which will be held with Super Bowl XLI was hacked on Feb.2.

Another is that Email-Worm.Win32.Zhelatin.m is coming.

More details:
Dolphin Stadium website
Zhelatin worm continues updating

IM-Worm.Win32.Sohanad.u

Smallmo — Fri, 02 Feb 07 11:44:40 +0100

CISRT Lab received a new variant of IM-Worm.Win32.Sohanad,it is spreading via IM software.It sends out message about Microsoft Windows Vista. CISRT Lab has declared an alert for this new worm.

More details:Sohanad.u worm spreading

Email-Worm.Win32.Zhelatin.k

Smallmo — Wed, 31 Jan 07 15:23:29 +0100

CISRT Lab received a new variant——Email-Worm.Win32.Zhelatin.k

Be careful please.

More details:Zhelatin.k worm come

Email-Worm.Win32.Zhelatin.h

Smallmo — Tue, 30 Jan 07 15:11:00 +0100

CISRT Lab received many variants about Email-Worm.Win32.Zhelatin.h.The author seems to update the worm frequently,to prevent itself to be detected by AV vendors.CISRT Lab advises everyone should keep your antivirus database to the latest.

More details: More Zhelatin.h Worm

Alert for Banwarum.l

Smallmo — Sun, 28 Jan 07 15:08:07 +0100

Three hours ago,CISRT Lab declared an alert for new variant of Email-Worm.Win32.Banwarum.If you received the attachment contained the following names,you should be careful.
Flash Postcard.exe
Greeting Card.exe
Greeting Postcard.exe
Postcard.exe
greeting_postcard.exe
Greeting_Postcard.exe

Kaspersky detected them as Email-Worm.Win32.Banwarum.l,Trend Micro detects them as WORM_NUWAR.EL.

More details,you can see here: Banwarum.l begins spreading

Some malware information

Smallmo — Sat, 27 Jan 07 15:24:31 +0100

CISRT Lab has reported some new malware information these two days.
You can see:
1. Storm worm new variant

2. foto via MSN

3. Foto email spread in Brazil

Another Rechnung spam

Smallmo — Sat, 27 Jan 07 15:18:23 +0100

Another Rechnung spam,More details can see here:http://www.cisrt.org/enblog/read.php?2

Rechnung spam

Smallmo — Thu, 25 Jan 07 16:21:42 +0100

CISRT Lab detected that a trojan spam was spreading in Germany.Kaspersky detected it as Trojan-Downloader.Win32.Agent.ann,and Trend Micro detected it as TROJ_YABE.AV.

More details,you can see here:Rechnung spam come

Europen Spam Storm

Smallmo — Sat, 20 Jan 07 16:43:55 +0100

Two trojan spams are now spreading very quickly in Europe.I think most of Europen friends have received these spams.Most AV vendors have already updated their database such as Symantec,Trendmicro,Mcafee,F-Secure,Panda,Sophos,Kaspersky.Of course,our team also declared an alert on our Chinese blog at 14:29,Jan.20,2007(+0800).

More details about this two trojan,you can see on the webs of most AV vendors.
Kaspersky detected them as Trojan-Downloader.Win32.Small.dam and Trojan-Downloader.Win32.Agent.bet.

MS07-002 for Asia Users Re-released

Smallmo — Fri, 19 Jan 07 11:36:26 +0100

Microsoft re-released MS07-002 to re-offer the security update to customers with Microsoft Excel 2000 today.The security update previously did not correctly process the phonetic information that is embedded in files that are created by using Excel in the Korean, Chinese, or Japanese executable mode.

MS07-002: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (927198)

Phishing email: Hsbc Bank

Smallmo — Thu, 18 Jan 07 11:28:30 +0100

A phishing email which pretended to be Hsbc Bank was found today.The uses of Hsbc Bank should be careful.

The phishing email is like the following:

Subject: Warning: Instant Update Required
Body:
Security

Get.Safe.Online!

Due to our early system updates and server upgrades today from 11 PM till 12 Am,

May not work.

Also we are verifying all user information, so help us to speed up proccess by

Submitting Your information

Verification link:

http://www.hsbc.co.uk/1/2/pib/2007

Verifications like these happens like 3-4 times in ayear.

Thank You for submitting Your information,

Best Regards,

HSBC Online Service
------
The link in the email redicts to a phishing web.The web is as the following:
http://www.fungamesforu.com/banner/www.hsbc.co.uk/instant-update/2007/index.html

PS:I also found another phishing web of Bank of America,the web's url is as the following:
http://www.bksdisco.de/boa/

Phishing email: Nationwide's Internet Banking

Smallmo — Wed, 17 Jan 07 17:18:56 +0100

I also received a phishing email about Nationwide's Internet Banking. Nationwide's users should be careful.

The email is like the following:

Subject: Attention!! Your Nationwide Account Has Been Violated!!
Body:

When clicked the link in the email,it will visit a phishing web:
ht tp://krovla.net

Phishing email: Citibank

Smallmo — Wed, 17 Jan 07 16:37:24 +0100

I received two phishing emails about Citibank today.It was written by Germany.Germany Citibank users should be careful.

The email is like the following:

Subject: Citibank - Neues Online-Banking-Schutzsystem im Jahre 2007
Body:

Translate the body into English by Google:
----

Very honoured visitors,
since unauthorized access attempts are made ever more frequent bank accounts, our bank line seized the resolution over the transition of the whole on-line Banking system to platform of a new generation, which ensures our customer as well as its accounts 100% security and confidentialness. A singular virus and fraud protection! They need to confirm only the account registration on this platform. Click here and indicate you your password and Login. There is not further mA? took necessarily!! We ask because of possible incommodities for apology. We hope for your amplifier? ndnis and our further co-operation:
http://mirror.citibank.de/security/iol/update.do

Support Team.
----
When the users clicked this link,it will vist two phishing web:
h*p://210.74.232.53:8246/citibank.de/applogin/confirm/index.php
h*p://210.201.211.241:8246/citibank.de/applogin/confirm/index.php

MS07-004 VML integer overflow exploit

Smallmo — Wed, 17 Jan 07 11:48:40 +0100

Hello,everyone.I want to tell you a message that MS07-004 VML integer overflow exploit is now published on internet.The poc is tested on WinXP SP2 Korean version.
TrendMicro also reported this exploit,detected it as EXPL_EXECOD.C.
Kaspersky detected it as Exploit.HTML.IframeBof.

I also found a Chinese Poc of this exploit today.It can run on XP SP2 pro.I think it will be used widely soon.

Have you fixed this vulnerbility?If not,please fixed now:Microsoft Security Bulletin MS07-004

Phising Email: ANZ bank

Smallmo — Sun, 14 Jan 07 16:38:42 +0100

I received a phishing email today.It's about ANZ bank.Like other phishing bank email,it steal the account of the customer of ANZ bank.

The phishing email is like the following:

Subject: ANZ Bank Customers Verification
Body:

When you click the link in mail,you will visit a phishing web(ht tp://www.anz-au.com/).The real link of ANZ bank is "http://www.anz.com".So you should be careful.

Phising email: Mysurf365 account

Smallmo — Fri, 12 Jan 07 18:04:22 +0100

Today,i recevied a phishing email.It's something about Mysurf365 account.

The email is following:

Subject: Your mysurf365 accounte is deactivate!
Body:

If you click the link in email,it will redict to another phishing web(ht tp://mysurf365.ke0.eu).It will steal your mysurf365 account.Please be careful.