Here is the notification we sent our to our clients. This also speaks about a seperate email scam where they collect VISA credit card information to be used for fraudulent purposes.
<div class='quotetop'>QUOTE</div><div class='quotemain'>
Dear Valued iTec Hosting Client,
We have 2 alerts to advise you of at this time. both these alerts concern credit card security issues. Please be advised and assured that your Credit Card information is secure when you use either our PayPal or 2Checkout payment gateways to pay your hosting account.
The first alert concerns a email scam which prompts people to provide their Credit Card information. We have sent a copy of the received email to the REAL Visa Security people. DNS information has also been forwarded.
The following is from the email where they take your Credit Card information from you and then use that information for fraudualent purposes.
------------------------------------------------------------
Dear Sir/Madam,
We were informed that your credit card is used by another person or stolen. It could happen if you have been shopping on-line, and someone got your "Billing information" including your credit card number. To avoid and prevent any further fraud and billing mistakes and to refund your credit card, it is strongly recommended to proceed filling in the secure form on our site and applying for our Zero Liability program. Program is free and it will help us to confirm the fact of fraud and investigate this accident as soon as possible.
Sincerely yours, Visa Support Assistant, Alwin Desagun.
------------------------------------------------------------
DO NOT give any information to the site or visit any links that take you to the site Delete the email and Do NOT respond. The return email address is
security@visa-security.com but that site is not in anyway associated with VISA. Any authentic email from VISA would have the domain @visa.com If you should infact receive this email, send a email to
AskVisaUSA@Visa.com with all the specifics of the email you received including the header information.
The header information will NOT show the sender as being from Visa international but will be as follows;
Return-Path: <k0oj@mail.com>
Received: from www26.genericdns.com (root@localhost)
by yourdomain.com (8.11.6/8.11.6) with ESMTP id i0TMDT925168
for <username@yourdomain.com>; Thu, 29 Jan 2004 16:13:29 -0600
X-ClientAddr: 68.236.25.238
Received: from 68.236.25.238 (pool-68-236-25-238.phil.east.verizon.net [68.236.25.238])
by www26.genericdns.com (8.11.6/8.11.6) with SMTP id i0TMDSF25146
for <username@yourdomain.com>; Thu, 29 Jan 2004 16:13:29 -0600
Message-Id: <200401292213.i0TMDSF25146@www26.genericdns.com>
Date: Thu, 29 Jan 2004 16:08:40 -0600
From: Visa Service <security@visa-security.com>
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
Reply-To: Visa Service <security@visa-security.com>
Organization: Visa International Service
X-Priority: 3 (Normal)
To:
username@yourdomain.com
Subject: Visa Security Update
Mime-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Status: RO
visa-security.com is NOT a valid website. The return address is indicated as Return-Path: <k0oj@mail.com> Mail.com is a Free email address service.
The second part of this alert concerns a Worm/Virus which collects credit card information.
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the March 2004 (3.79) release of Sophos Anti-Virus.
At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.
Description
W32/Mimail-S is a worm which spreads by email. The worm sends itself to email addresses harvested from your hard disk. These addresses are saved into a file named outlook.cfg in the Windows folder.
W32/Mimail-S drops a copy of itself into the Windows folder using the name rabbit.exe. W32/Mimail-S adds the entry:
RabbitWannaHome = "[windows folder]rabbit.exe"
to the registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
so that the worm loads every time you logon to your computer.
W32/Mimail-S also drops an HTML script into the file c:ms.hta. This script pops up a dialog window asking you to enter your credit card number, expiry date and PIN. Information which the worm "phishes" in this way is written into a file named c:xx.
W32/Mimail-S uses a wide range of randomly-constructed subject lines, message texts and attachment names in order to vary the appearance of the emails it sends out.
>From the McAfee Site
<div class='quotetop'>QUOTE</div><div class='quotemain'>
Virus Profile
Virus Information
Name: W32/Mimail.s@MM
Risk Assessment
- Home Users: Medium
- Corporate Users: Medium
Date Discovered: 1/28/2004
Date Added: 1/28/2004
Origin: Unknown
Length: 11520
Type: Virus
SubType: E-mail worm
DAT Required: 432
Virus Characteristics
The worm contains its own SMTP engine to replicate itself, it also attempts to steal user's credit card information data.
Email Propagation
The worm harvests email addresses from the victim's computer by appending .org, .net or .com to certain strings found in files in the directory C:Program Files. These email addresses are then written to:
* C:windowsoutlook.cfg
The subject and body of the email message sent out is constructed from strings found in the worm body. For example:
Subject: here is the file you asked for
Body: Hi! Here is the file you asked for!
Attachment: document.txt.scr
Similarly, filenames and extensions used for the attachment are constructed from strings found within the worm body. The attachment is BASE64 encoded. The following are the possible file extensions used:
* .pif
* .scr
* .exe
* .jpg.scr
* .jpg.pif
* .jpg.exe
* .gif.exe
* .gif.pif
* .gif.scr
Data Theft
This worm attempts to steal user's credit card information by displaying the below fake Microsoft licensing window. (image is cropped) The stolen credit card numbers are sent to email addresses found in the worm's body. The addresses are within the domains @mail15.com and @ziplip.com. The stolen information is stored in the file:
* C:XX
Indications of Infection
The worm checks the credit number to ensure a dummy number is not entered else it displays the below error: (See Attachment)
The following files are created uponing execution:
* C:ms.hta - html
* C:WINDOWSoutlook.cfg - phished email addresses
* CWINDOWSrabbit.exe - worm body
* C:WINDOWSx -worm body
The following registry key is created to run the worm at startup:
* HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
CurrentVersionRun "RabbitWannaHome"= %WINDIR%rabbit.exe
Method of Infection
This virus spreads via email. Manually running the attachment infects the local machine
Removal Instructions
All Users :
Use specified engine and DAT files for detection and removal.
The following EXTRA.DAT packages are being made available prior to the regularly scheduled weekly DAT release (working with EXTRA.DAT files ) (McAfee).
EXTRA.DAT
SUPER EXTRA.DAT
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Stinger
Stinger 2.0.0 has been made available to assist in detecting and repairing this threat.
McAfee Security IntruShield
McAfee Security IntruShield will detect the presence of this worm in mail utilizing two generic signatures that are part of the Default Policy:
1. SMTP: Possible Virus Attachment File with Double Extension - Looks for attachments with double extensions where the last extension is executable.
2. SMTP: Worm Detected in Attachment - Looks for attachments with an executable extension.
These detections will only be logged, unless you enable blocking of these types of extensions within your policy.
McAfee Security Threatscan
ThreatScan signatures that can detect the W32/Mimail.s@MM virus are now available from:
·Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
·Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt
ThreatScan users can detect the virus by running a ThreatScan task using the following settings:
·Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
-or-
·Select the "Other" category and "Scan All Vulnerabilities" template.
For additional information:
·Run the "ThreatScan Template Report"
·Look for module number #4062
McAfee Personal Firewall Plus
Any attempted communication by this worm will be blocked, resulting in the following message:
You are infected by the Mimail virus. Your firewall has stopped this worm from spreading to another system and is preventing the worm owner from remotely controlling your system. However, your system remains infected. Please update your anti-virus defintions and run a full system scan. Please refer to: W32/Mimail.s@MM for more detailed information.
Additional Windows ME/XP removal considerations
Aliases
I-Worm.Mimail.r (AVP), W32.Mimail.R@mm (Symantec), W32/Mimail-S (Sophos), W32/Mimail.Q@mm (Norman), W32/Mimail.S.worm (Panda), WORM_MIMAIL.S (Trend)
[/b][/quote]
You can view a image of the login screen below:
The above link is from one of our Staff member sites and we verify it is safe to view for all.
We provide this information to you, our client, as our way of helping to keep you informed of important security issues and trends on the internet.
Please feel free to also visit our forums at
http://forum.itechosting.com/index.php for additional updates on these virus/security threats and previous notifications we have also sent out.
Regards
Glen Millar
System Administrator
iTec Internet Services/iTec Hosting Services
[/b][/quote]
Linear Mode
