Virus Emails Gone Wild

Apparently the botnets in charge of spreading viruses have decided to go random and wild this week. In an attempt to evade filtering and confuse end user recipients, they’re spewing vast amounts of emails and using a shotgun approach of randomization.

Sending addresses are all random and spoofed and the emails themselves are short and cryptic. Subject lines tend to be short and simple and run the gamut, just a few examples (we’re seeing hundreds of variations):

Subject:      August Rent
Subject:      Resume
Subject:      Weekly Stats
Subject:      Homax Docs
Subject:      report
Subject:      declined deposit report
Subject:      Hello
Subject:      Fwd: audit balancing reports

The value to this approach is that each Subject is just vague enough to raise the recipient’s curiosity. Most also allude to some sort of report or document so recipients are prepared to expect the possibility of an attachment, even before opening the email itself.

The contents of these wide-ranging campaign are also endlessly varying, but again, short and cryptic is the standard approach:

  • Attached is what I have for August rent.
  • I cleaned up the formatting of the resume and will review the content at some point today. Save this as your latest version and I’ll talk to you later.
  • These are my stats for the week ending 8-7-2010.
  • Please view the attached report of the declined deposit by OFAC
  • Please find attached the new Word document.
  • see my report in attach
  • enclosed is your balancing reports for data plus.

Some of these emails will use what appear to be legitimate “Signature Files” that have been scraped from previously infected computers and some will not.

All are sent from zombie PCs already infected by these campaigns.

Attached files are randomly named and often include the current date in the name, such as:

  • Wedding 8-6-11.zip
  • Wedding 8-6-11.exe

The only useful common denominator for recipients to focus on is that all include two attachments, one a “.exe” file and the other a “.zip” file. Like the example above, both files will typically share the same name, except for the file extension.

Launching either will run the virus code which will attempt to infect the recipient’s computer, which will then itself be used to further spread the infection and extend the reach of these botnets.

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

Tags: , , ,

Comments are closed.