Robot Has Detected Abnormal Activity From Your IP Address

I’ve gotten numerous calls about this piece of spam today, so I thought I’d blog it:

From: Administrator <sender changes>
To: <client name>
Sent: Sun Jul 08 18:15:22 2007
Subject: Worm Alert!

Dear Customer,

Our robot has detected an abnormal activity from your IP adress on sending e-mails. Probably it is connected with the last epidemic of a worm which does not have official patches at the moment.

We recommend you to install this patch <url omitted> to remove worm files
and stop email sending, otherwise your account will be blocked.

Administrator

According to PC Tools’ ThreatExpert service, the trojan copies itself to the Windows system folder as ‘windev-72b5-203e.sys’ (md5: 8e2410698872f116620cbd7846adfa34) and registers the file as a service in order to load when Windows is started.

Detection names among vendors vary greatly and include the following:

  • TR/Small.DBY.DB (AntiVir)
  • Win32:Tibs-BAC (Avast)
  • Downloader.Tibs.6.K (AVG)
  • Trojan.Peed.OQ (BitDefender)
  • W32/Tibs.MV@mm (Fortinet)
  • Packed.Win32.Tibs.ab (Ikarus, Kaspersky)
  • McAfee 5069 07.06.2007 W32/Nuwar@MM (McAfee)
  • Worm:Win32/Nuwar.JT (Microsoft)
  • Win32/Nuwar (Nod32)
  • Tibs.gen124 (Norman)
  • Mal/Dorf-A (Sophos)
  • Trojan.Packed.13 (Symantec)
  • Possible_Nucrp-3 (Trend)

Recommended Action:

Don’t download it – update your anti-virus signatures

VN:F [1.9.20_1166]
Rating: 0.0/10 (0 votes cast)