Alas it seems the malvelopers want us to think the "other bad guys" are watching us. I read about these e-mails yesterday, but hadn't actually received one myself - now I feel special :o)
As mentioned previously, the e-mail reads;
They've also kindly included an attachment (user-B41642-activities.zip) that they claim is a report concerning copyright stuff I've downloaded or searched for on the websites they've referenced (which would be a neat trick considering I've never been on those sites).
This attachment, just like this one is detected as WORM/Agent.FT
Needless to say, if you receive an e-mail claiming to come from MediaDefender, delete it (MD should be ignored anyway in my opinion (and indeed, in alot of others opinions too))
As usual, the following is the e-mail itself in all it's glory.
It seems these are still doing the rounds as I've just received another one. Whilst the e-mail and zip's filename is identical to the last, the infection in this one is HIDDENEXT/Worm.Gen with a new size of 324K.
Well well well, this is an interesting little sample isn't it ..... Running the file through ThreatExpert shows multiple outgoing connections (IRC, SMTP). Two GET requests were made to download additional components;
Other connections include;
sco.rs-forum.biz Port: 5900
mxs.isp.com Port: 5900
22.214.171.124 Port: 5900
rs-forum.biz claims to be a parked page (yeah right!)
The IRC connection shows it's joining the #biohazard2 channel, and generating the following traffic;
The full TE report can be found at;