Current or Ongoing Computer Security Threats

United Parcel Service Fedex Tracking N5421062126

Another variant of Fakerean is arriving in email boxes.

This one claims to be from United Parcel Service, and has a subject line of:

Fedex Tracking N5421062126

The body text is:

Unfortunately we were not able to deliver postal package you sent on October the
18st in time because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

This one has some dead giveaways that there is something fishy about it.

very poor grammar. (October the 18st?)
UPS doesn't have a habit of giving out Fedex tracking numbers.

With previous virus alerts, big name antivirus software has been slow at picking up the virus, so this time, I delayed before testing.

The first time this virus variant was seen in an inbox at CB Services was 1:05 AM on Tuesday, October 20, 2009.

It was scanned at virustotal.com for this warning at 8:41 PM, on Wednesday, October 21, 2009.

The results were slightly better, in that Symantec/Norton and Trend Micro antivirus engines detected the virus. McAfee in it's base form still missed it, though.

But this doesn't take into account that this is simply a variant of FakeRean, which has been around since at least October 14, 2009, as shown in my first alert about this virus, posing as an Outlook settings file update.

The fact that any antivirus would missing a simple variant of a virus that's over a week old does not say good things about that antivirus software, and even the industry in general. This is especially true since this virus variant was caught by less than 61% of antivirus software when it was scanned.

It's been given at least an entire 2 full workdays to infect computers at business places, and antivirus is not even up to a 2/3 detection rate, yet.

This FakeRean variant is, like the previous one, a fraudulent attempt to sell fake antivirus software.

If you are infected with this, and seeing popup warnings about massive virus infections on your computer, do not, under any circumstances, purchase the recommended software. This will simply, put your credit card number in the hands of criminals.

If you can't remove the infection yourself, take your computer to a knowledgeable computer technician.

Microsoft Outlook Notification for the user@domain.com

Email viruses were on the wane until recently, however, there seems to be a flood of them in the last couple of weeks.

Another new trojan, coming in an email with the subject line:

Microsoft Outlook Notification for the This email address is being protected from spambots. You need JavaScript enabled to view it.

comes with an attached file - install.zip - which contains the virus.

The message body is:

You have (6) New Message from Outlook Microsoft

- Please re-configure your Microsoft Outlook Again.
- Download attached setup file and install.

This latest one appears to be a variant of the FakeRean trojan that's been in the wild for the last week or two.

It gets similar results on virustotal.com; no detection by Trend or McAfee, but detected by Symantec/Norton.

It also appears to be trying to sell fraudulent antivirus software, so watch out for these types of scams.

Subject: You've received a postcard - 123greetings.com greeting card virus

Another email virus (technically a trojan) is currently making the rounds. This one is an attachment to a message the subject "You've received a postcard" with the following text:

Good day.

Your family member has sent you an ecard from 123greetings.com.

Send free ecards from 123greetings.com with your choice of colors, words and music. 

Your ecard will be available with us for the next 30 days. 

If you wish to keep the ecard longer, you may save it on your computer or take a
print. 

To view your ecard, open zip attached file.

The attached file is a zip file, named ecard.zip, and is 30KB in all samples CB Services has seen so far. This reduces to just over 22KB after decoding from email by saving to the drive in your computer.

This virus is, as of this writing, not detected by Norton, Trend Micro, or McAfee. (Click the thumbnail to see the full size results in a new window.)

This virus is quite new, and hasn't been fully analyzed. It may perform various actions to reduce the security of your computer, such as turning off firewall or antivirus software, or disabling automatic updates.

It appears that it is also related to rogue antivirus software, that will attempt to scare you into purchasing fake antivirus by claiming your computer is infected with numerous viruses. These "infections" are false positives.

FakeRean virus - A new settings file for the user@domain.com has just been released

Another email virus/trojan is making the rounds.

This one is contained in an email with the subject line:

A new settings file for the This email address is being protected from spambots. You need JavaScript enabled to view it. has just been released

where "This email address is being protected from spambots. You need JavaScript enabled to view it." is replaced with your email address.

The body of the email contains this text:

Dear user of the domain.com mailing service!

We are informing you that because of the security upgrade of the mailing service
your mailbox This email address is being protected from spambots. You need JavaScript enabled to view it. settings were changed. In order to
apply the new set of settings open zip attached file.

Best regards, domain.com Technical Support.

Again, "domain.com" is replaced with the domain of your email address (the part after the @).

Fakerean virustotal results

The virus currently has generic detection in Norton/Symantec Antivirus products, but as of yet, McAfee and Trend Micro don't detect it at all.

The virus is contained in a zip file attachment with the name install.zip, which is 17 kilobytes. This zip archive contains one file, install.exe. Running this file executes the virus, infecting your computer.

This virus appears to give fake antivirus scan results, encouraging you to buy a rogue antivirus product.

This will put your credit card details in the hands of the virus writers, possibly leading to fraudulent purchases on your card.

Murlo Virus - Sony VAIO A1133651A online store receipt

A new email virus (technically a trojan) is currently making the rounds. This one is an attachment to a message with the following text:

Dear Customer!

Thank you for ordering at our online store.
Your order: Sony VAIO A1133651A, was sent at your address.
The tracking number of your postal parcel is indicated in the document attached to
this letter.
Please, print out the postal label for receiving the parcel.

Internet Store.

The attached file is a zip file, named nz.zip, and is small, at only 9.8 kilobytes for one variant.

At least some variants of this virus are, as of this writing, not detected by Norton, Trend Micro, or McAfee. (Click the thumbnail to see the full size results in a new window.)

The trojan downloads several other malicious programs onto your computer, and also disables the Windows firewall, and the Windows Security Center, rendering your computer vulnerable to other intrusions.

It also uses techniques to insert itself into Internet Explorer, Firefox, and Opera browsers, thereby poisoning them with malicious code, probably intercepting passwords to websites and other activities.

Page 3 of 3

Computer Services