Date: Fri, 6 Aug 2004 13:29:35 -0400 (EDT) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: SANS "OUCH" Report For 08/02/04 ----------------------------- SANS OUCH REPORT FOR 08/02/04 ----------------------------- It has been a long time since my last BCPL.NET News message describing the latest virus, worm or other security risk. There have been so many new ones in recent months, I just haven't been able to keep up with them. The SANS Institute (www.sans.org) has initiated a new feature in one of its security alert e-newsletters that may help fill the void. Called the "OUCH Report", it is meant for redistribution by system administrators to non-technical customers and staff. The first issue of OUCH is below. I hope you find it informative. ----- OUCH: The Report On Identity Theft and Attacks On Computer Users August 2, 2004 Every day, thousands of people are fooled by emails from criminals trying to steal their identities or infect and take over their computers. This update is our attempt to help you avoid being one of the victims. CONTENTS -------- I. Emails from people trying to infect your system and steal your friends' email addresses for spam. I.1. Pictures of Osama Bin Laden hanging or Arnold Schwarzenegger's suicide note. I.2. Email from your system administrator or other familiar sender that says your email could not be delivered, or some similar statement. I.3. Email with subject "Against!" or "Revenge". I.4. Email with subject Re_ and body with animals or foto or other subjects. II. Emails from people trying to steal your identity (and your money). II.1. Update Your Billing Information (from eBay). II.2. Your account at eBay has been suspended. II.3. Your account at Wells Fargo has been suspended. II.4. Notification of US Bank Internet Banking. II.5. Attn: Citibank Update. II.6 Confirm AOL Billing Info. III. Emails from people trying to fool you into hurting yourself or your friends and coworkers. III.1 Subject: "jdbg" Virus: how to detect and remove. DETAILS ------- I. Emails from people trying to infect your system and steal your friends' email addresses for spam I.1. Pictures of Osama Bin Laden hanging or Arnold Schwarzenegger's suicide note Name: Hackarmy The bait: An email or news article claiming to offer you copies of pictures of Osama Bin Laden being hanged. A second form comes claiming to have a suicide note from Arnold Shwarzenegger. How it infects your system: You click on a link that downloads a zip file. You execute the file thinking you will see the pictures. What it does to you: Gives attackers remote control of your computer so they can use it in attacks on other people, or harvest email names for spam. Where to find detailed information: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hacarmy.d.html I.2. Email from your system administrator or other familiar sender that says your email could not be delivered, or some similar statement. Name: Mydoom-O The bait: An email from your mail or system administrator or other familiar sender with any one of the following subjects: (1) say helo to my litl friend, (2) click me baby, (3) one more time, (4) hello, (5) error, (6) status, (7) test, (8) report, delivery failed, (9) Message could not be delivered, (10) Mail System Error - Returned Mail, (11) Delivery reports about your e-mail, (12) Returned mail: see transcript for details, (13) Returned mail: Data format error. Each has an attachment. How it infects your system: You download and open the attachment. What it does to you: Steals all email addresses from your PC to be sold to spammers. Spreads to other PCs from your PC. Also uses your system to send requests to search engines like Google to look for more email addresses. Where to find more detailed information: http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html I.3. Email with subject "Against!" or "Revenge" Name: Atak-C The bait: An email that arrives with the subject "Attack!" or "Revenge" and a zipped attachment How it infects your system: You download and open the attachment. What it does to you: Steals all email addresses from your PC to be sold to spammers. Where to find more detailed information: http://www.sophos.com/virusinfo/analyses/w32atakc.html I.4. Email with subject Re_ and body with animals or photo or other subjects Name: Beagle (a.k.a. Bagle) The bait: An email that arrives subject Re_ and with an attachment. How it infects your system: You download and open the attachment. What it does to you: Disables antivirus and other important software, mass mails itself to others, steals email addresses from throughout your files, gives attacker remote control of your computer to use to attack other systems. Where to find more detailed information: http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39641 II. Emails from people trying to steal your identity (and your money) II.1. Update Your Billing Information (from eBay) The bait: An email coming from eBay saying the company has "detected a slight error in your billing information" and saying that you must fix it within 48 hours to continue to buy or sell on eBay. What it tries to make you do: Click on a link and tell them your eBay and paypal username and password, and your credit/debit card information Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/07-27-04%20Ebay%20(Update%20Your%20Billing%20Informations).html II.2. Your account at eBay has been suspended The bait: An email coming from eBay saying your account has been suspended and "We had to block your eBay account" What it tries to make you do: Click on a link and tell them your eBay and paypal username and password, and your credit/debit card information Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/07-26-04_Ebay_(your_account_at_ebay_has_been_suspended).html II.3. Your account at Wells Fargo has been suspended The bait: An email coming from eBay saying your account has been suspended and "Your account has been compromised by outside parties." What it tries to make you do: Click on a link and tell them your username, password, and credit card information Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/06-29-04_Wells_Fargo_(Your_account_at_Wells_Fargo_has_been_suspended).html II.4. Notification of US Bank Internet Banking The bait: An email coming from US Bank saying "as a preventive measure, we have temporarily limited access to some features" What it tries to make you do: Click on a link and tell them your username, password, credit card data or debit card data. Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/07-23-04_US_Bank_(Notification_of_US_Bank_Internet_Banking).html II.5. Attn: Citibank Update The bait: "Click here" link in an email that seems to come from Citibank. What it tries to make you do: Click on a link and tell them personal information and credit card or debit card data. Where you can see how it actually appears: http://www.fraudwatchinternational.com/fraud_alerts/040721_1046_citibank.htm http://www.antiphishing.org/phishing_archive/07-21-04_Citibank_(Attn_Citibank_Update).html II.6 Confirm AOL Billing Info The bait: An email coming from AOL saying your billing information is out of date and asking you to "spend several minutes and update your billing records" What it tries to make you do: Click on a link and tell them personal information and credit card or debit card data. Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/07-20-04_AOL_(Confirm_AOL_billing_info).html III. Emails from people trying to fool you into hurting yourself or your friends and coworkers III.1 Subject: "jdbg" Virus: how to detect and remove. Name: jdbg Virus Hoax The bait: An email telling you about a virus and how to remove it. Example: "Subject: "jdbg" Virus: how to detect and remove." May also talk about finding a teddy bear on the machine - because the file's icon is a bear. What it is trying to make you do: Remove a file that is not harmful and is a normal part of Windows. Where to find more information: http://www.symantec.com/avcenter/venc/data/jdbgmgr.exe.file.hoax.html ==end== -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. Web Site: http://www.bcpl.net Who To Contact For What: http://www.bcpl.net/contacts/