A new e-mail attack variant similar to attacks previously launched on the IRS and Better Business Bureau. The spoofed e-mail claims to be from the United States Department of Justice (USDOJ). We have been tracking these attacks and have previously reported on them on our site.

The message claims that a complaint to the USDOJ has been filed against the recipient's company. The e-mail informs the reader that a copy of the original complaint has been attached to the e-mail.

The attached "complaint" is a Trojan Downloader .scr file with an MD5 of aeb784bc17c4c7e6edc5f1faaa9ed24f.

None of the major anti-virus vendors detected the malicious code.

E-mail screenshot:

Actual text of e-mail hoax:

Please delete these e-mails should you receive them.

Also known as: W32/IRCbot (McAfee), W32/IRCBot (Sophos), WORM_IRCBOT (Trend), W32.Mubla (Symantec), Backdoor.Win32.IRCBot. (Kaspersky), Backdoor:Win32/IRCbot! (MS OneCare)

Win32/Checkout is a worm family containing an IRC-based backdoor. Checkout spreads by using MSN Messenger to spam itself to the user's contact list. The worm may also download and execute an arbitrary file. Some variants attempt to retrieve data from Protected Storage and send it to the backdoor's controller.

For those variants that make unzipped copies of themselves, filenames observed at the time of publication have included:

printers.exe
msn.exe
intlprinters.exe
libcinet.exe
inetlibx.exe
msnfix.exe

For variants that make zipped copies of themselves, the following combinations of zip filenames and enclosed filenames have been observed in use:

Checkout then injects code into the "Explorer.exe" process which causes it to execute the DLL's code immediately.

Checkout variants contain an IRC-based backdoor which contacts an IRC server.

After connecting to the server, the worm attempts to use MSN Messenger to send itself to the user's contact list. The backdoor's controller may also issue instructions such as to repeat the spreading process or to contact a different server.

For example, the pre-stored possible messages for Checkout.L are listed below:

• what do you think of this picure? i feel i look ugly :/
• here are a new pic of me
• a few pictures from last week, see if you like em
• have you seen this picure yet?
• haha, is that you on that picture?
• should i use this picture on msn?
• What do you think about this?

Also known as: W32/Rontokbro.gen@MM (McAfee), W32.Rontokbro@mm (Symantec), BackDoor.Generic.1138 (Doctor Web), W32/Korbo-B (Sophos), WORM_RONTOKBRO.F (Trend Micro), WORM/Brontok.C (H+BEDV), W32/Brontok.C@mm (FRISK), Win32:Rontokbr-B (ALWIL), I-Worm/VB.FY (Grisoft), Win32.Brontok.C@MM (SOFTWIN), Worm.Brontok.E (ClamAV), Win32/Brontok.F (Eset)

This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file written in Visual Basic. The size of the infected file can vary significantly. The functionality described below is characteristic of the most common variants of this worm.

Infected messages

Attachment name (chosen from the list below):

• ccapps.exe
• jangan dibuka.exe
• kangen.exe
• my heart.exe
• myheart.exe
• syslove.exe
• untukmu.exe
• winword.exe

The W32.Sasser.B.Worm attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011, and spreads by scanning randomly-chosen IP addresses for vulnerable systems. The worm allows for the remote execution of code on the infected machine and permits for a remote party to completely control the infected machine. This worm is currently listed as a HIGH RISK due to its current rate of spread.

Customers are urged to ensure that their Anti-virus is up-to-date with the most current virus definitions. Customers should also go to Microsoft's Windows Update and ensure that all critical patches for their systems have been installed. Customer's using firewall software or hardware should block the following ports: TCP 445, 5554, 9996.

W32.Beagle.U@mm is a variant of W32.Beagle.T@mm. The worm sends itself as an e-mail with a blank subject and body and a randomly named attachment. It also opens a backdoor on TCP port 4751.The attachment name is a random string of letters with an .exe extension.

The worm starts the mshearts application on the system when active.

W32.Netsky.P@mm (also known as W32.Netsky.Q@mm) is a mass-mailing worm that uses its own SMTP engine to send itself to the e-mail addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders.

The e-mail has the following characteristics:

From:

Subject: The subject line is one of the following:

• Re: Encrypted Mail
• Re: Extended Mail
• Re: Status
• Re: Notify
• Re: SMTP Server
• Re: Mail Server
• Re: Delivery Server
• Re: Bad Request
• Re: Failure
• Re: Thank you for delivery
• Re: Test
• Re: Administration
• Re: Message Error
• Re: Error
• Re: Extended Mail System
• Re: Secure SMTP Message
• Re: Protected Mail Request
• Re: Protected Mail System
• Re: Protected Mail Delivery
• Re: Secure delivery
• Re: Delivery Protection
• Re: Mail Authentification
• Mail Delivery (failure )

Message: The message is one of the following: Body: (Some possible message bodies are listed below)

• Please see the attached file for details
• Please read the attached file!
• Your document is attached.
• Please read the document.
• Your file is attached.
• Your document is attached.
• Please confirm the document.
• Please read the important document.
• See the file.
• Requested file.
• Authentication required.
• Your document is attached to this mail.
• I have attached your document.
• I have received your document. The corrected document is attached.
• Your document.
• Your details.

The worm may also append the following to the message body:

• +++ Attachment: No Virus found
  +++ MessageLabs AntiVirus - www.messagelabs.com
• +++ Attachment: No Virus found
  +++ Bitdefender AntiVirus - www.bitdefender.com
• +++ Attachment: No Virus found
  +++ MC-Afee AntiVirus - www.mcafee.com
• +++ Attachment: No Virus found
  +++ Kaspersky AntiVirus - www.kaspersky.com
• +++ Attachment: No Virus found
  +++ Panda AntiVirus - www.pandasoftware.com
• ++++ Attachment: No Virus found
  ++++ Norman AntiVirus - www.norman.com
• ++++ Attachment: No Virus found
  ++++ F-Secure AntiVirus - www.f-secure.com
• ++++ Attachment: No Virus found
  ++++ Norton AntiVirus - www.symantec.de

W32.Netsky.K@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the e-mail addresses it finds when scanning hard drives and mapped drives.

The "sender" of the e-mail is spoofed, and its subject, message body, and attachment vary. The attachment has .pif as extension.

1. The e-mail has the following characteristics:

From: Spoofed

Subject: The subject line is one of the following:

• Re: Your website
• Re: Your product
• Re: Your letter
• Re: Your archive
• Re: Your text
• Re: Your bill
• Re: Your details
• Re: My details
• Re: Word file
• Re: Excel file
• Re: Details
• Re: Approved
• Re: Your software
• Re: Your music
• Re: Here
• Re: Re: Re: Your document
• Re: Hello
• Re: Hi
• Re: Re: Message
• Re: Your picture
• Re: Here is the document
• Re: Your document
• Re: Thanks!
• Re: Re: Thanks!
• Re: Re: Document
• Re: Document

Message: The message is one of the following:

• Your file is attached.
• Please read the attached file.
• Please have a look at the attached file.
• See the attached file for details.
• Here is the file.
• Your document is attached.

W32.Sober.D@mm is a variant of W32.Sober.C@mm that spreads by sending itself as an e-mail attachment using its own SMTP engine.

The Subject: and Body: of the e-mail vary and is written in either English or German.

1. The e-mail message has the following characteristics:

From: @microsoft

The in the spoofed sender's e-mail address is randomly picked up from the following list:

• Info
• Center
• UpDate
• News
• Help
• Studio
• Alert
• Patch
• Security

The string is selected from the following list:

• .de
• .at
• .com

Subject: (One of the following )

• Microsoft Alert: Please Read! Message-ID: <[random characters].qmail@microsoft.com>
• Microsoft Alarm: Bitte Lesen! Message-ID: <[random characters].qmail@microsoft.com>

On March 3, 2004 Symantec upgraded the severity level of the w32.Beagle.J@mm virus to a level 3 based upon reports received by them. W32.Beagle.J@mm is a mass-mailing worm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through e-mail. It also sends the attacker the port on which the backdoor listens, as well as the IP address. W32.Beagle.J@mm also attempts to spread through file-sharing networks, such as Kazaa and iMesh, by dropping itself into the folders that contain "shar" in their names. The e-mail has the following characteristics:

From: (May be one of the following)

• management@
• administration@
• staff@
• noreply@
• support@

Subject: (One of the following)

• E-mail account disabling warning.
• E-mail account security warning.
• E-mail account utilization warning.
• Important notify about your e-mail account.
• Notify about using the e-mail account.
• Notify about your e-mail account utilization.
• Warning about your e-mail account.

Message: (One of the following lines)

• Dear user of ,
• Dear user of gateway e-mail server,
• Dear user of e-mail server "",
• Hello user of e-mail server,
• Dear user of "" mailing system,
• Dear user, the management of mailing system wants to let you know that,

W32.Netsky.D: W32.Netsky.D@mm is a mass-mailing worm that is a variant of W32.Netsky.C@mm. The worm scans drives C through Z for e-mail addresses and sends itself to those that are found. The Subject, Body, and Attachment names vary. The attachment will have a .pif file extension.

W32.Beagle.H@mm is a mass-mailing worm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through e-mail. It also sends the attacker the port on which the backdoor listens, as well as the IP address. The e-mail attachment is a randomly named .exe file inside a .zip file. The embedded .exe file is password-protected with a random password.

W32.Netsky.B is a mass-mailing worm that uses its own SMTP engine to send itself to the e-mail addresses it finds when scanning the hard drives and mapped drives. This worm also searches drives C through Z for folder names containing "Share" or "Sharing," and then copies itself to those folders. The virus also attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses.

The Subject, Body, and e-mail attachment vary.

All of the major anti-virus vendors currently have this listed as a medium risk.

Insight's Internet Policy Enforcement Team has received numerous reports pertaining to the W32.Alua@mm/ W32/Tanx-A/ WORM_BAGLE.B Virus virus.

This is a mass-mailing worm that opens a backdoor allowing remote access to the infected machine. The worm/virus arrives as an e-mail with the following characteristics:

Subject line: ID ... thanks
Message text: Yours ID

Thank
Attached file: .exe

Anti-virus vendors are currently researching this worm in order to identify the full impact that it may have. Symantec currently has this listed as a Level 3 threat. All customers are encouraged to ensure that their anti-virus definitions are kept up-to-date. Customers may wish to check for virus definition updates periodically throughout the next 24hrs to ensure that your system is protected from the spread of this worm.

Insight's Internet Policy Enforcement Team has received numerous reports pertaining to the W32/Mydoom@MM virus. W32/Mydoom@MM is a re-mailer type of virus/worm that is a mass-mailing worm that arrives as an attachment. When a computer is infected, the worm will set up a backdoor into the affected system. This can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources. In addition, the backdoor has the ability to download and execute arbitrary files.

Insight's Internet Policy Enforcement Team has received numerous reports of customers who have gotten e-mails similar to those listed below. These e-mails attempt to lure individuals to open an attachment or go to a web site that installs Trojan software to the target machine. This Trojan software can then be used to permit remote access to the infected machine.

To:naylor

From: Insight's Internet Virus Department

We have detected a possible computer virus on your computer, You must open the details of the report within 24 hours our we will be forced to shut down your internet service.

Please Click Below Then Press "open" To View The Report If you do not open this report in 24 hours we will suspend your internet service If nothing apears on your virus report please dis-regard this message

Click Here Now

OR

*** Insight's Billing dpt notice ***

Internet Billing Notice

Please press "open" and read the attached Billing Notice.

Note if you do not read this within 24 hours we at Insight.net regret to inform you we will have to suspend internet service.

A new e-mail worm has started to spread quickly. W32.Beagle.A@mm is a mass-mailing worm that accesses remote Web sites and sends e-mail to any addresses it finds. This worm may also allow a remote individual to execute commands on your machine as if they were the current user.

The worm arrives as an e-mail attachment. The e-mail will arrive with these characteristics and a randomly named file attachment:

Subject: Hi

Message:

Test =)

[Random characters]

Test, yep.

A new e-mail worm has started to spread quickly, taking advantage of an Internet Explorer vulnerability. The bug has been alternately dubbed Swen and Gibe.F.

W32.Swen.A@mm is a mass-mailing worm that uses its own SMTP engine to spread itself. It attempts to spread through file-sharing networks, such as KaZaA and IRC, and attempts to kill antivirus and personal firewall programs running on a computer.

The worm can arrive as an e-mail attachment. The subject, body, and From: address of the e-mail may vary. Some examples claim to be patches for Microsoft Internet Explorer, or delivery failure notices from qmail.