On Mon, 2009-11-16 at 14:08 +0100, Ralph Bornefeld-Ettmann wrote:
> rich...@buzzhost.co.uk schrieb:
> > On Mon, 2009-11-16 at 00:07 +0100, Ralph Bornefeld-Ettmann wrote:
> >> rich...@buzzhost.co.uk schrieb:
> >>> Is anyone else seeing an influx of spam with a zip attachment
> >>> balancechecker.zip?
> >>>
> >>> This contains a windows executable, balancechecker.exe, which appears to
> >>> be testing clean with clam and others.
> >>>
> >>> I'm inclined to think it's *not* clean and is viral.
> >>>
> >>> EXAMPLE
> >>> http://pastebin.com/m730f90e9
> >>>
> >>>
> >> I really do not think it is clean. It really sounds like a typical bogus
> >> mail.
> >>
> >> see also here :
> >> http://www.sophos.com/blogs/gc/g/2009/11/13/email-vodafone-limit-credit-balance-beware/
> >>
> > It is now starting to get picked up and I can see that it was reported
> > at totalvirus on Friday. Yesterday it was passing many checkers as
> > clean, including CLAMAV - which by it's free nature - finds its way into
> > many gateway scanners.
> >
> > This morning, however, is a different tale:
> >
> > balancechecker.exe: Trojan.Zbot-6437 FOUND
> >
> > ----------- SCAN SUMMARY -----------
> > Known viruses: 649889
> > Engine version: 0.95.3
> > Scanned directories: 0
> > Scanned files: 1
> > Infected files: 1
> > Data scanned: 0.02 MB
> > Data read: 0.02 MB (ratio 1.00:1)
> > Time: 2.682 sec (0 m 2 s)
> >
> >
> >
> >
> For me such mails are simply a logical question : "Why should I run a
> program to check my balance?"
>
> But I normally I do not ask for logical thinking after my users also
> tend to look for useable content in mails with subjects like "Do you
> want ro f--k me?" :-)
>
> Cheers
> Ralph
>
Ralph, I entirely agree as a logical human, but end users are *not*
logical users. Many probably think 'Hey, this file must be OK to run as
it's passed our gateway virus scanner and Norton is not picking it up -
let's see what it does.....'
{cue entertaining funfair music and that nice windows 7 PC becoming a
spam machine gun....} LOL
