Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 10 September 2008

My bank made a woopsie? Nope actually, they didn't .....

Thats right folks, the scammers are back - and this time they're holding an infection (guess the phishing stuff wasn't working as well for them?). I've received 27 of these so far, and other than the sender, they're all virtually identical;


Greetings!

Yesterday I received a message from your bank with your account statement. I don’t need problems with the police because of your bank’s error!!! Please contact your bank and ask them to not mistakenly send me your personal data to me.

For the proof of my non-participation in obtaining your personal data, I am attaching the copy of the message containing your account statement which I had received via e-mail!!!!

You must print the copy of the message and pass it on to the bank, so that they wouldn’t mistakenly send me your personal bank account data.



The attachment? BANK_DETAILS.zip, which contains a 66.5KB file called .... wait for it .... BANK_DETAILS.exe, with an Excel icon to make you think it's an XLS file (naughty scammer!). Detection alas, isn't that good, with only 16/32 detecting it.

http://www.virustotal.com/analisis/ea81b8ad78cb532af14368694ef53b54

Alas the Sunbelt sandbox claims the file has already been analyzed but err;

http://research.sunbelt-software.com/ViewMalware.aspx?id=5561279

Where is it? Instead, I've submitted it both to Anubis and to the Microsoft sandbox - results will be posted when I receive them. In the meantime, the e-mail itself is below.


Exported by: Outlook Export v0.1.2


From: Ali Rosen
E-mail:lvhvljivf@bobgail.com [ 63.206.146.140 - bobgail.com ]
Date: 10/09/2008 07:14:29
Subject: I received a message from your bank
**************************************************************************
Links
**************************************************************************


**************************************************************************
Text Version
**************************************************************************
Greetings!

Yesterday I received a message from your bank with your account statement.
I don’t need problems with the police because of your bank’s error!!!
Please contact your bank and ask them to not mistakenly send me your personal data to me.
For the proof of my non-participation in obtaining your personal data, I am attaching the copy of the message containing your account statement which I had received via e-mail!!!!
You must print the copy of the message and pass it on to the bank, so that they wouldn’t mistakenly send me your personal bank account data.


**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>Greetings!<BR>
<BR>
Yesterday I received a message from your bank with your account statement.<BR>
I don’t need problems with the police because of your bank’s error!!!<BR>
Please contact your bank and ask them to not mistakenly send me your personal data to me.<BR>
For the proof of my non-participation in obtaining your personal data, I am attaching the copy of the message containing your account statement which I had received via e-mail!!!!<BR>
You must print the copy of the message and pass it on to the bank, so that they wouldn’t mistakenly send me your personal bank account data.<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <lvhvljivf@bobgail.com>
Delivered-To: services@[RMVD]
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-125.livemail.co.uk (Postfix) with SMTP id 51454534187
for <services@[RMVD]>; Wed, 10 Sep 2008 07:14:33 +0100 (BST)
Received: from 84.red-80-34-50.staticip.rima-tde.net (84.Red-80-34-50.staticIP.rima-tde.net [80.34.50.84])
by smtp-in-125.livemail.co.uk (Postfix) with ESMTP id 7643253420C
for <nobody@[RMVD]>; Wed, 10 Sep 2008 07:14:27 +0100 (BST)
Received: from [80.34.50.84] by smtp-relay.pbi.net; Wed, 10 Sep 2008 07:14:29 +0100
Date: Wed, 10 Sep 2008 07:14:29 +0100
From: "Ali Rosen" <lvhvljivf@bobgail.com>
X-Mailer: The Bat! (v2.12.00) Business
Reply-To: lvhvljivf@bobgail.com
X-Priority: 3 (Normal)
Message-ID: <220419770.17700592054610@bobgail.com>
To: nobody@[RMVD]
Subject: I received a message from your bank
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------1A213674BF6E82"
X-Original-To: nobody@[RMVD]


/edit

As mentioned, the following are the Anubis and MS sandbox results;

http://anubis.iseclab.org/result.php?taskid=fdd6caea727f37847548aeba86a4f473

http://www.microsoft.com/security/portal/Entry.aspx?name=PWS%3aWin32%2fZbot.UV

No really, that IS all Microsoft decided to send for this one!

No comments: