Xerox Scan Email Virus

The tricks these guys try…

So I get an email, apparently a scan of an image from a Xerox copier sent to my inbox.

I am going to open the zip file that is attached? Um No!

This is what I see wrong with this one…

  1. Images don’t need to be zipped, it doesn’t compress them enough
  2. It was sent from someone I don’t know at admantech@nederland.8bit.be
  3. It’s incredibly vague.

Obviously targeting large organisations that have these centralised scanning machines that deliver documents in this way, but for the other masses, a real scatter gun approach.

Heres the text:

Subject : Scan from a Xerox WorkCentre Pro N 2918425

Please open the attached document. It was scanned and sent to you using a Xerox

WorkCentre Pro.

Sent by: Guest

Number of Images: 1

Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set

Device Name: XRX9679AA7ACDB40111008

For more information on Xerox products and solutions, please visit

http://www.xerox.com

The Phishers / Virus Makers have Hooked Amazon now

Phishing is all about getting people hooked, line a sinker, this time Amazon is the recipient of the Phishers focus.

It seems to be the usual DHL / UPS style scam, where a zip archive is attached to an email that carries the nasty payload.

Asking you to print the attached postal label to get your package.

As usual, delete these emails as they are nothing but a cover for a dangerous virus or scam.

Here is the transcript of the email

Goodafternoon!

Thank you for shopping at Amazon.com
We have successfully received your payment.

Your order has been shipped to your billing address.

You have ordered ” Asus Eee PC T91Go ”

You can find your tracking number in attached to the e-mail  document.

Print the postal label to get your package.

We hope you enjoy your order!
Amazon.com
Attachment is called Postal_label_Nr234.zip

It is interesting to see these people targeting suppliers / vendors that have wide audiences. Removing any refernce to DHL or UPS as this is starting to get a little old.

I wonder how long it will take for the Anti virus brigade to recognise this new variant.

DHL, UPS Virus Email, What Next NZPost?

Many times there are things that show the US Centricness (Is that a word?) of the internet:

  • .com readily meaning US site
  • US date formats in online forms
  • USD as the default currency

Well another example is the idea that every country must use UPS and DHL for their parcels.

Why else would all of the post / courier etc virus emails sent all around the world have these two as the only options to use.

The phishers seem to have a better idea…use a local provider to have a better chance of success. (Even these guys get it wrong: Note to Spammers – I dont have any Commonwealth Bank of Australia accounts)

What is wrong with NZPost? I suspect that in any case like this, an email from a local bank / services company / postal service etc would be more troublesome to the local population.

So, look out for suspicious emails from local suppliers, and as should be usual practice, here are a few standard tips to protect you from email nasties:

  • Any email asking for any form of login / password should be treated suspiciously
  • Any email warning of a security breach should be treated suspiciously
  • Don’t click on any links in emails that you are unsure of, instead go to the website manually
  • Don’t open any attachment that is unexpected, this especially includes zip files
  • Keep your virus software up to date and make sure email scanning is turned on!

Let me know of any other tips or other virus laden emails you have had to send to your trash bin.

Possible new DHL Email Virus

Wow, the virus / malware people are working overtime, my last post was about the Mail Server Upgrade scam / virus, now interestingly, a DHL email has slipped past my virus scanner.

In the past these have been picked up and have never been a threat, but this one got through, the email reads

Subject: DHL delivery service. Get your parcel NR.26252

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.

Thank you for attention.
DHL Delivery Services.

As usual, there is a zip file attached. This normally trips the virus scanner,b ut not this time.

Hopefully the next virus updates will catch up with this new variant.

New Email Threat – Mail Upgrade Virus

I have had a couple of clients send on emails they have recieved with what seems to be a reasonably well crafted email describing an upcoming mail system upgrade.

The key thing is there is a link given to click on that in one email was direct to an executable file, assumed by me to be a file carrying either a virus or trojan program.

Another email had a link to a page on a website. (Which could easily redirect to a file download)

As with other emails of simialr technical nature, thsi one tries to talk in enough tech language to try and come across as legitimate.

Here is a transcript

From: System [mailto:System@clientsite.co.nz] Sent: Tuesday, 20 October 2009 12:20 PM
To: validemail@
clientsite.co.nz
Subject: Attention – Mail system upgrade

Attention!

On October 22, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.

The changes will concern security, reliability and performance of mail service and the system as a whole.

For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.

This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That’s all.

http://updates.clientsite.co.nz.secure.certificates-db.com/ssl/id=7721494943-validemail@clientsite.co.nz-patch6559.exe

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator

Another one, similar

—– Original Message —– From: “administrator” <administrator@clientsite.co.nz>
To: <validemail@clientsite.co.nz>
Sent: Tuesday, October 20, 2009 1:56 AM
Subject: Read carefully:Mail System Upgrade

Attention!

On October 22, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That’s all.

http://updates.clientsite.co.nz.secure.certificates-db.net/ssl/id=798545139-validemail@clientsite.co.nz-patch2066228.aspx

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator

(urls changed)

It seems like some anti-spam has already picked this up, but if you see an email like this beware


Beware the Powerpoint Virus

This give attackers access to everything the host user has access to. So this is obviously worse for someone with administrator privileges.

Microsoft has deemed the problem as critical, the top rating on their security scale.

Symantec’s virus hunters have dubbed the virus Trojan.PPDropper.B, while other antivirus makers are likely dissecting it as well. It follows a well-worn pattern: an email arrives from an unknown source, in this case from a Gmail account, and has a PowerPoint file attached. The email has Chinese characters in it, which would indicate its origins are in Asia.

Interestingly, the latest viruses are appearing just after Microsoft’s regular update to try and allow the virus or exploit to be in the wild for as long as possible.

Here is a link to the Microsoft website (Security Bulletin MS09-017), where the exploit description and how to protect your software is located