'Your internet access is going to get suspended' Email
If you receive an email with the subject 'Your internet access is going to get suspended' then don't panic - it's another Virus doing the rounds that sends out these worryingly-phrased emails in an attempt to trick you into running the attachment and infecting yourself with the payload. Several sites have picked up on it and a few of the popular virus scanning packages had spotted is already.
The message reads:
The malware registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe. The files cabpck.dll (known as theMal/TinyDL-T by Sophos), k86.bin and krnlcab.sys (known as the Backdoor:Win32/Haxdoor by Microsoft)) are created in the %System% folder.
A directory %Temp%\msi_setup will be created and a new connection with some host is made: http://****-****.biz/jerken/data.php?trac kid=706172616D3D6 or http://*****.net/22/data.php?trackid=7061 72616D3D636D64266C616E6
It makes a change from the usual 'Please find your receipt attached' approach, but my main concern is the number of clients who will instantly think they've done something wrong and go ahead and get infected.
The message reads:
Your internet access is going to get suspendedThe message contains a randomly-named zip file in the format user-XXXXXXXX-activities.zip and after extracting the file is user-XXXXXXXX-activities.exe where XXXXXXXX is random characters.
The Internet Service Provider Consorcium was made to protect the rights of
software authors, artists. We conduct regular wiretapping on our networks,
to monitor criminal acts.
We are aware of your illegal activities on the internet wich were originating from
You can check the report of your activities in the past 6 month that we have
attached. We strongly advise you to stop your activities regarding the illegal
downloading of copyrighted material of your internet access will be suspended.
Sincerely
ICS Monitoring Team
The malware registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe. The files cabpck.dll (known as theMal/TinyDL-T by Sophos), k86.bin and krnlcab.sys (known as the Backdoor:Win32/Haxdoor by Microsoft)) are created in the %System% folder.
A directory %Temp%\msi_setup will be created and a new connection with some host is made: http://****-****.biz/jerken/data.php?trac kid=706172616D3D6 or http://*****.net/22/data.php?trackid=7061 72616D3D636D64266C616E6
It makes a change from the usual 'Please find your receipt attached' approach, but my main concern is the number of clients who will instantly think they've done something wrong and go ahead and get infected.
