Robot Has Detected Abnormal Activity From Your IP Address

I’ve gotten numerous calls about this piece of spam today, so I thought I’d blog it:

From: Administrator <sender changes>
To: <client name>
Sent: Sun Jul 08 18:15:22 2007
Subject: Worm Alert!

Dear Customer,

Our robot has detected an abnormal activity from your IP adress on sending e-mails. Probably it is connected with the last epidemic of a worm which does not have official patches at the moment.

We recommend you to install this patch <url omitted> to remove worm files
and stop email sending, otherwise your account will be blocked.


According to PC Tools’ ThreatExpert service, the trojan copies itself to the Windows system folder as ‘windev-72b5-203e.sys’ (md5: 8e2410698872f116620cbd7846adfa34) and registers the file as a service in order to load when Windows is started.

Detection names among vendors vary greatly and include the following:

  • TR/Small.DBY.DB (AntiVir)
  • Win32:Tibs-BAC (Avast)
  • Downloader.Tibs.6.K (AVG)
  • Trojan.Peed.OQ (BitDefender)
  • W32/Tibs.MV@mm (Fortinet)
  • Packed.Win32.Tibs.ab (Ikarus, Kaspersky)
  • McAfee 5069 07.06.2007 W32/Nuwar@MM (McAfee)
  • Worm:Win32/Nuwar.JT (Microsoft)
  • Win32/Nuwar (Nod32)
  • Tibs.gen124 (Norman)
  • Mal/Dorf-A (Sophos)
  • Trojan.Packed.13 (Symantec)
  • Possible_Nucrp-3 (Trend)

Recommended Action:

Don’t download it – update your anti-virus signatures

VN:F [1.9.20_1166]
Rating: 0.0/10 (0 votes cast)

Leave a Reply