A new variant of the Delivery Status Notification (Failure) – Virus is widely circulating that arrives with a completely random From: sender address and a subject line, such as:
From: ”wafersf25@resourcemining.com” <wafersf25@resourcemining.com>
Subject: The results of your email commandsFrom: ”hackingj@robe.riotinto.com” <hackingj@robe.riotinto.com>
Subject: The results of your email commandsFrom: “smirnoff9@royal-fiesta.com” <smirnoff9@royal-fiesta.com>
Subject: The results of your email commands
Regardless of the random and fictitious sender addresses, the emails are originating from previously infected personal computers from across the globe. A few widely diverse examples include:
- from [190.158.71.38] (helo=Dynamic-IP-1901587138.cable.net.co)
- from static-72-90-81-20.syrcny.fios.verizon.net [72.90.81.20]
- from 247-39-113-92.pool.ukrtel.net [92.113.39.247]
The body of the email is supposed to convince the recipient they are receiving a bounced email response to something they had sent, and succinctly states:
Note: Forwarded message is attached.
The results of your email command are provided below. Attached is your
original message.- Results:
Ignoring non-text/plain MIME parts- Done.
The point to this bogus bounce is the first line “Note: Forwarded message is attached.” which is intended to get you to open the email attachment, which is named either:
- The results of your email commands.htm
- The results of your email commands.html
Regardless of the naming extension, these HTML attachments are entirely JavaScript code. If opened, in most cases the script will attempt to force your browser to download virus code to your computer. In other instances, the JavaScript will only direct you to a spammer’s website. Unfortunately it is impossible for the end user to know whether this is the case or not beforehand.
As a result, the only safe course of action is to delete these bogus bounces on sight, without ever clicking the JavaScript attachments.
Related posts: