Home Archive Customer Support Center Robot Worm Email

Customer Support Center Robot Worm Email

by Brett M. Christensen

Outline:
Email, which masquerades as an automated ISP message, claims the recipient must install an attached security patch to stop a worm from spreading


Brief Analysis:
False – The attachment contains a worm.

Example:
A new malware attack that uses a very similar message to the one shown below began hitting inboxes in July, 2007. Go to the write-up about this new version



Detailed Analysis:
Yet another email based malware attack is currently hitting inboxes. The emails masquerade as automated service messages from the recipient’s Internet Service Provider (ISP). The messages claim that abnormal activity related to an email worm epidemic has been detected and instructs the recipient to install a patch to deal with the problem.

The bogus patch is included in a password protected zip archive attached to the email. The message also provides the password required to access the archive. The “password protection” ruse is apparently designed to make the claims in the message seem more legitimate.

When the user opens the attachment, a rootkit is installed and the malware attempts to connect to a peer-to-peer network. Once connected, it can upload sensitive information from the compromised computer and download other malware components. It will also search for email addresses on the infected machine and send copies of itself to addresses that it finds.

The malware attempts to protect itself by interfering with the normal functioning of anti-virus scanners.

The infected machine ultimately becomes a zombie computer connected to a botnet that can be used to send spam and spread other malware.

The worm is very similar in intent to the Iran Missile Attack worm, which has also been spreading via email.

Malware distributors have often used the “security patch” ruse to try to trick unwary recipients into installing their malicious software. Software companies or ISP’s are extremely unlikely to distribute security patches via unsolicited email. Security updates should only be installed via the software vendor’s official update facilities. Users should always be very cautious of opening email attachments, including those that claim to be security updates. Users should also ensure that they have up-to-date anti-virus software installed and use an Internet firewall.


Last updated: 14th April 2007
First published: 14th April 2007
By Brett M. Christensen
About Hoax-Slayer

References
Worm spreads in the guise of a Security Update
Malware outbreak ‘largest in almost a year’
Iran Missile Strike Worm Emails
Fake Microsoft Security Patch Emails

Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,
Hoax-Slayer