domenica 3 giugno 2007

Yahoo PostMaster Alert fasullo

Mi è arrivata questa bella e-mail. Sembra un normale avviso generato in automatico dal controllo antivirus di un server di posta, ma in realtà mi accusano di aver inviato un'e-mail contenente un virus e mi consigliano di applicare la patch allegata all'avviso.

Tra l'altro il mio indirizzo da cui è partita la presunta e-mail infetta è una casella web che uso solo per ricevere e-mail e da cui non partono e-mail. Insomma è un tentativo di farmi eseguire una fasulla patch (per ripulire il mio sistema dal worm, dicono loro) che in realtà è il classico trojan.

Questo il testo dell'e-mail tarocca

Attention: INDIRIZZO - 5:25:48 PM - 6/2/2007 - This is an automatically generated message.

A virus was found in the last outgoing message you sent. Our incoming email scanner intercepted it and stopped the entire message before it could reach its intended recipient. The virus was reported to be: I-Worm.Mydoom.M

Technical details: I-Worm.Mydoom.m spreads via Google and Yahoo mail services as an attachment to infected messages.

The worm itself is a Windows PE EXE file approximately 27KB in size, packed using UPX.
The unpacked file is approximately 89KB in size.

The worm is only activated when a user opens an archive and launches the infected file by double-clicking on it. The worm will then install itself to your system and begin propagating. This worm also contains a dangerous backdoor function. When the worm opens TCP port 1034, it allows itself to receive remote commands. These ports were found to be open on your system during the message scan.

Please use the attached patch file to remove the virus and cleanse your system of any remaining parts of the worm.


Aliases: I-Worm.Mydoom.m (Kaspersky Lab), W32/Mydoom.o@MM (McAfee), W32.Mydoom.M@mm (Symantec), Win32.HLLM.MyDoom.54464 (Doctor Web), W32/MyDoom-O (Sophos), Win32/Mydoom.O@mm (RAV), WORM_MYDOOM.M (Trend Micro), Worm/Mydoom.M (H+BEDV), W32/Mydoom.O@mm (FRISK), Win32:Mydoom-M (ALWIL), I-Worm/Mydoom.O (Grisoft), Win32.MydooM@mm (SOFTWIN), Worm.Mydoom.M (ClamAV), W32/Mydoom.N.worm (Panda), Win32/Mydoom.R (Eset)

Description added: 6/2/2007 (new)
Self-Replicating Email Worm

Removal tool attached to INDIRIZZO message at: 5:25:48 PM on 6/2/2007

Nessun commento: