Fake Virus Warnings From ISPs

["Mike" <mjcarter () ihug co nz>]

Hi All,

Warning be careful with the links in this email.

Posted in the SANS diary by Johannes Ullrich:

A user submitted a fake e-mail, which is using the %01 MSIE bug to trick the
user into downloading a Trojan.

[snip]

This appears to be bigger than Yahoo being faked. I recently received this
faked email:

Virus Alert
To:mjcarter
From: ihug.co.nz's Internet Virus Department

We have detected a possible computer virus on your computer, You must open
the details of the report within 24 hours our we will be forced to shut down
your internet service.

Please Click Below Then Press "open" To View The Report If you do not open
this report in 24 hours we will suspend your internet service If nothing
apears on your virus report please dis-regard this message
Click Here Now
<http://ihug.co.nz%01 () dzmj6u1ziuzb4r3tzaj0zafl euphoriaja com/special2/>

Clicking on the link takes me to
http://dzmj6u1ziuzb4r3tzaj0zafl.euphoriaja.com/special2/ which redirects to
http://66.98.208.24/cgi-bin/page.cgi and attempts to download page.hta which
McAfee detects as VBS/Inor.

I've contacted my ISP and forwarded to them, I  wonder how many other ISPs
are about to be flooded with calls.

Note the URL is changing, it was originally
http://66.98.208.24/cgi-bin/page.cgi which was shut down.

But is now residing at http://210.51.184.247/cgi-bin/page.cgi

inetnum:      210.51.0.0 - 210.51.255.255
netname:      CNCNET
descr:        China Netcom Corp.
descr:        New Telecommunication Carrier Based on IP Backbone
country:      CN
admin-c:      JM284-AP
tech-c:       JM284-AP
mnt-by:       APNIC-HM
mnt-lower:    MAINT-CN-ZM28
changed:      hostmaster () apnic net 20001011
changed:      hm-changed () apnic net 20020703
changed:      hm-changed () apnic net 20030212
status:       ALLOCATED PORTABLE
source:       APNIC


Regards
Mike


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html