TMIRT has received reports of email messsages with a malicious attachment being spammed in educational institutions targeting users to ‘check out’ and approve the attachment ‘and reply’ before November 1, Tuesday – yes that’s it folks… the target day should be today! Check out the email contents below:
Subject: Campus Life
Message Body:
Possible Attachments:
NOTE: The .exe and .scr usually comes using the icon of a PDF file.
So far, we’ve seen only a couple of infections, including a university that put an online warning for the academe in their university website:
We’ve included some text here from the image above just in case the image is unclear:
Kinda like a nasty November 1 Halloween Trick (leave the Treat part out of it) because there is NO treat in what an infected user will experience once the malware is executed.
Using port 8080, the executed malware connects to Internet Relay Chat (IRC) servers and joins a channel, allowing a remote malicious user to issue the following commands that are locally executed on the affected system:
Good news for Trend Micro customers though, this malware is detected by Trend as either BKDR_IRCBOT.BM, first seen and detected last Oct 26, 2005 or BKDR_BREPLIBOT.B , first seen and detected last Oct 29, 2005.
Other related malwares that started propagating the week just before this November 1 are:
BKDR_BREPLIBOT.A – first seen on Oct 26, 2005
WORM_IRCBOT.AJ – first seen on Oct 27, 2005
This is definitely one evidence of the increasing prolifiration of targeted attacks. The target entity in this case may most definitely be users among the academe and most probably be students who may be tricked into having their 5-minutes-of-fame-plus-photo-plus-article published “in the new campus magazine in an article headed ‘Campus Life’”!
Considered targets in these kinds of attacks vary and may range from operating systems to frequently-used applications or computing peripherals, or from geographical locations to user and institutional groups such as the educational group mentioned above. Let us continue to be more vigilant regarding these attacks in the days to come…
Subject: Campus Life
Message Body:
Hello,
We have been thinking of including you in the new campus magazine in an article headed “Campus Life”. Can you approve the photo and article for us before we go to printing please.
If any details are wrong then we can amend before printing on Tuesday 1st November so please get back to us as soon as possible.
Many Thanks & Best Regards,
J Chuang
Editor
We have been thinking of including you in the new campus magazine in an article headed “Campus Life”. Can you approve the photo and article for us before we go to printing please.
If any details are wrong then we can amend before printing on Tuesday 1st November so please get back to us as soon as possible.
Many Thanks & Best Regards,
J Chuang
Editor
Possible Attachments:
- Photo + Article.exe
- Photo + Article.scr
- Photo + Article.zip
NOTE: The .exe and .scr usually comes using the icon of a PDF file.
So far, we’ve seen only a couple of infections, including a university that put an online warning for the academe in their university website:
We’ve included some text here from the image above just in case the image is unclear:
IT Services has seen evidence of a new virus hitting university mailboxes on both campuses. This virus travels via email… Our Anti-virus vendors are currently working on virus definition files to identify (and remove) this new virus…
If you receive an email with the subject “Campus Life” and an attachment named “Photo + Article.zip” PLEASE do not open the attachment — just delete the message from your mailbox without opening it. DO NOT OPEN THE ATTACHMENT! There may be variations in the subject and attachment, so please exercise extra vigilance with any email messages that you may receive, especially those that have ZIP attachments…
Thank you for your patience while we resolve this problem…
If you receive an email with the subject “Campus Life” and an attachment named “Photo + Article.zip” PLEASE do not open the attachment — just delete the message from your mailbox without opening it. DO NOT OPEN THE ATTACHMENT! There may be variations in the subject and attachment, so please exercise extra vigilance with any email messages that you may receive, especially those that have ZIP attachments…
Thank you for your patience while we resolve this problem…
Kinda like a nasty November 1 Halloween Trick (leave the Treat part out of it) because there is NO treat in what an infected user will experience once the malware is executed.
Using port 8080, the executed malware connects to Internet Relay Chat (IRC) servers and joins a channel, allowing a remote malicious user to issue the following commands that are locally executed on the affected system:
- Download and execute remote files
- Retrieve system information
- Update itself
Good news for Trend Micro customers though, this malware is detected by Trend as either BKDR_IRCBOT.BM, first seen and detected last Oct 26, 2005 or BKDR_BREPLIBOT.B , first seen and detected last Oct 29, 2005.
Other related malwares that started propagating the week just before this November 1 are:
BKDR_BREPLIBOT.A – first seen on Oct 26, 2005
WORM_IRCBOT.AJ – first seen on Oct 27, 2005
This is definitely one evidence of the increasing prolifiration of targeted attacks. The target entity in this case may most definitely be users among the academe and most probably be students who may be tricked into having their 5-minutes-of-fame-plus-photo-plus-article published “in the new campus magazine in an article headed ‘Campus Life’”!
Considered targets in these kinds of attacks vary and may range from operating systems to frequently-used applications or computing peripherals, or from geographical locations to user and institutional groups such as the educational group mentioned above. Let us continue to be more vigilant regarding these attacks in the days to come…