Mailing List Archive: SpamAssassin: users

balancechecker.zip balancechecker.exe

Index | Next | Previous | View Threaded

richard at buzzhost

Nov 15, 2009, 9:47 AM

Post #1 of 10 (1385 views)
Permalink

balancechecker.zip balancechecker.exe

Is anyone else seeing an influx of spam with a zip attachment
balancechecker.zip?

This contains a windows executable, balancechecker.exe, which appears to
be testing clean with clam and others.

I'm inclined to think it's *not* clean and is viral.

EXAMPLE
http://pastebin.com/m730f90e9

me at junc

Nov 15, 2009, 10:32 AM

Post #2 of 10 (1337 views)
Permalink

Re: balancechecker.zip balancechecker.exe [In reply to]

On søn 15 nov 2009 18:47:49 CET, "richard [at] buzzhost" wrote
> http://pastebin.com/m730f90e9

winnow.malware.8163

--
xpoint

ilikeuce at bornefeld-ettmann

Nov 15, 2009, 4:20 PM

Post #3 of 10 (1329 views)
Permalink

Re: balancechecker.zip balancechecker.exe [In reply to]

richard [at] buzzhost schrieb:
> Is anyone else seeing an influx of spam with a zip attachment
> balancechecker.zip?
>
> This contains a windows executable, balancechecker.exe, which appears to
> be testing clean with clam and others.
>
> I'm inclined to think it's *not* clean and is viral.
>
> EXAMPLE
> http://pastebin.com/m730f90e9
>
>

I really do not think it is clean. It really sounds like a typical bogus
mail.

see also here :
http://www.sophos.com/blogs/gc/g/2009/11/13/email-vodafone-limit-credit-balance-beware/

richard at buzzhost

Nov 15, 2009, 10:11 PM

Post #4 of 10 (1322 views)
Permalink

Re: balancechecker.zip balancechecker.exe [In reply to]

On Mon, 2009-11-16 at 00:07 +0100, Ralph Bornefeld-Ettmann wrote:
> richard [at] buzzhost schrieb:
> > Is anyone else seeing an influx of spam with a zip attachment
> > balancechecker.zip?
> >
> > This contains a windows executable, balancechecker.exe, which appears to
> > be testing clean with clam and others.
> >
> > I'm inclined to think it's *not* clean and is viral.
> >
> > EXAMPLE
> > http://pastebin.com/m730f90e9
> >
> >
>
> I really do not think it is clean. It really sounds like a typical bogus
> mail.
>
> see also here :
> http://www.sophos.com/blogs/gc/g/2009/11/13/email-vodafone-limit-credit-balance-beware/
>
It is now starting to get picked up and I can see that it was reported
at totalvirus on Friday. Yesterday it was passing many checkers as
clean, including CLAMAV - which by it's free nature - finds its way into
many gateway scanners.

This morning, however, is a different tale:

balancechecker.exe: Trojan.Zbot-6437 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 649889
Engine version: 0.95.3
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
Data read: 0.02 MB (ratio 1.00:1)
Time: 2.682 sec (0 m 2 s)

richard at buzzhost

Nov 16, 2009, 6:14 AM

Post #5 of 10 (1287 views)
Permalink

Re: balancechecker.zip balancechecker.exe [In reply to]

On Mon, 2009-11-16 at 14:08 +0100, Ralph Bornefeld-Ettmann wrote:
> richard [at] buzzhost schrieb:
> > On Mon, 2009-11-16 at 00:07 +0100, Ralph Bornefeld-Ettmann wrote:
> >> richard [at] buzzhost schrieb:
> >>> Is anyone else seeing an influx of spam with a zip attachment
> >>> balancechecker.zip?
> >>>
> >>> This contains a windows executable, balancechecker.exe, which appears to
> >>> be testing clean with clam and others.
> >>>
> >>> I'm inclined to think it's *not* clean and is viral.
> >>>
> >>> EXAMPLE
> >>> http://pastebin.com/m730f90e9
> >>>
> >>>
> >> I really do not think it is clean. It really sounds like a typical bogus
> >> mail.
> >>
> >> see also here :
> >> http://www.sophos.com/blogs/gc/g/2009/11/13/email-vodafone-limit-credit-balance-beware/
> >>
> > It is now starting to get picked up and I can see that it was reported
> > at totalvirus on Friday. Yesterday it was passing many checkers as
> > clean, including CLAMAV - which by it's free nature - finds its way into
> > many gateway scanners.
> >
> > This morning, however, is a different tale:
> >
> > balancechecker.exe: Trojan.Zbot-6437 FOUND
> >
> > ----------- SCAN SUMMARY -----------
> > Known viruses: 649889
> > Engine version: 0.95.3
> > Scanned directories: 0
> > Scanned files: 1
> > Infected files: 1
> > Data scanned: 0.02 MB
> > Data read: 0.02 MB (ratio 1.00:1)
> > Time: 2.682 sec (0 m 2 s)
> >
> >
> >
> >
> For me such mails are simply a logical question : "Why should I run a
> program to check my balance?"
>
> But I normally I do not ask for logical thinking after my users also
> tend to look for useable content in mails with subjects like "Do you
> want ro f--k me?" :-)
>
> Cheers
> Ralph
>
Ralph, I entirely agree as a logical human, but end users are *not*
logical users. Many probably think 'Hey, this file must be OK to run as
it's passed our gateway virus scanner and Norton is not picking it up -
let's see what it does.....'

{cue entertaining funfair music and that nice windows 7 PC becoming a
spam machine gun....} LOL

ilikeuce at bornefeld-ettmann

Nov 16, 2009, 6:20 AM

Post #6 of 10 (1289 views)
Permalink

Re: balancechecker.zip balancechecker.exe [In reply to]

richard [at] buzzhost schrieb:
> On Mon, 2009-11-16 at 00:07 +0100, Ralph Bornefeld-Ettmann wrote:
>> richard [at] buzzhost schrieb:
>>> Is anyone else seeing an influx of spam with a zip attachment
>>> balancechecker.zip?
>>>
>>> This contains a windows executable, balancechecker.exe, which appears to
>>> be testing clean with clam and others.
>>>
>>> I'm inclined to think it's *not* clean and is viral.
>>>
>>> EXAMPLE
>>> http://pastebin.com/m730f90e9
>>>
>>>
>> I really do not think it is clean. It really sounds like a typical bogus
>> mail.
>>
>> see also here :
>> http://www.sophos.com/blogs/gc/g/2009/11/13/email-vodafone-limit-credit-balance-beware/
>>
> It is now starting to get picked up and I can see that it was reported
> at totalvirus on Friday. Yesterday it was passing many checkers as
> clean, including CLAMAV - which by it's free nature - finds its way into
> many gateway scanners.
>
> This morning, however, is a different tale:
>
> balancechecker.exe: Trojan.Zbot-6437 FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 649889
> Engine version: 0.95.3
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.02 MB
> Data read: 0.02 MB (ratio 1.00:1)
> Time: 2.682 sec (0 m 2 s)
>
>
>
>
For me such mails are simply a logical question : "Why should I run a
program to check my balance?"

But I normally I do not ask for logical thinking after my users also
tend to look for useable content in mails with subjects like "Do you
want ro f--k me?" :-)

Cheers
Ralph

ned at unixmail

Nov 16, 2009, 7:29 AM

Post #7 of 10 (1273 views)
Permalink

Re: balancechecker.zip balancechecker.exe [In reply to]

richard [at] buzzhost wrote:
> Ralph, I entirely agree as a logical human, but end users are *not*
> logical users. Many probably think 'Hey, this file must be OK to run as
> it's passed our gateway virus scanner and Norton is not picking it up -
> let's see what it does.....'
>

Rhetorical question: Why would "our gateway" be passing executable
attachments to clueless end users in the first place?

kremels at kreme

Nov 16, 2009, 7:58 AM

Post #8 of 10 (1272 views)
Permalink

Re: balancechecker.zip balancechecker.exe [In reply to]

On 16-Nov-2009, at 08:29, Ned Slider wrote:
> richard [at] buzzhost wrote:
>> Ralph, I entirely agree as a logical human, but end users are *not*
>> logical users. Many probably think 'Hey, this file must be OK to run as
>> it's passed our gateway virus scanner and Norton is not picking it up -
>> let's see what it does.....'
>
> Rhetorical question: Why would "our gateway" be passing executable attachments to clueless end users in the first place?

The payload is a .zip file, containing a .exe, so it takes a certain level of stupidity/ignorance in 2009 to be caught out.

I thought there was a way to check for .zips containing .exe files, but it does require doing a body check as I recall, so not very cheap.

--
I WILL NOT EAT THINGS FOR MONEY
Bart chalkboard Ep. 9F10

jhardin at impsec

Nov 16, 2009, 8:19 AM

Post #9 of 10 (1273 views)
Permalink

Re: balancechecker.zip balancechecker.exe [In reply to]

On Mon, 16 Nov 2009, LuKreme wrote:

> On 16-Nov-2009, at 08:29, Ned Slider wrote:
>> richard [at] buzzhost wrote:
>>> Ralph, I entirely agree as a logical human, but end users are *not*
>>> logical users. Many probably think 'Hey, this file must be OK to run as
>>> it's passed our gateway virus scanner and Norton is not picking it up -
>>> let's see what it does.....'
>>
>> Rhetorical question: Why would "our gateway" be passing executable
>> attachments to clueless end users in the first place?
>
> The payload is a .zip file, containing a .exe, so it takes a certain
> level of stupidity/ignorance in 2009 to be caught out.
>
> I thought there was a way to check for .zips containing .exe files, but
> it does require doing a body check as I recall, so not very cheap.

<plug type="shameless">
http://www.impsec.org/email-tools/procmail-security.html
</plug>

There are other policy-enforcement tools, of course; I don't think SA can
to that yet, though.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The one political issue that strips all politicians bare is
individual gun rights.
-----------------------------------------------------------------------
38 days since President Obama won the Nobel "Not George W. Bush" prize

dbfunk at engineering

Nov 16, 2009, 3:37 PM

Post #10 of 10 (1246 views)
Permalink

Re: balancechecker.zip balancechecker.exe [In reply to]

On Sun, 15 Nov 2009, richard [at] buzzhost wrote:

> Is anyone else seeing an influx of spam with a zip attachment
> balancechecker.zip?
>
> This contains a windows executable, balancechecker.exe, which appears to
> be testing clean with clam and others.
>
> I'm inclined to think it's *not* clean and is viral.
>
> EXAMPLE
> http://pastebin.com/m730f90e9

FWIW, the Sanesecurity sigs for ClamAV started hitting this one
last Friday afternoon.

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads