Debunking email hoaxes and exposing Internet scams since 2003!

Hoax-Slayer Logo Hoax-Slayer Logo

DividerDivider
Home    About    New Articles    RSS Feed    Subscriptions    Contact
DividerDivider


Site Navigation










Customer Support Center Robot Worm Email

Summary:
Email, which masquerades as an automated ISP message, claims the recipient must install an attached security patch to stop a worm from spreading (Full commentary below).



Status:
False - The attachment contains a worm.

Update:
A new malware attack that uses a very similar message to the one shown below began hitting inboxes in July, 2007. Go to the write-up about this new version

Example:(Submitted, April 2007)
Dear Customer,

Our robot has detected an abnormal activity from your IP address on sending e-mails. Probably it is connected with the last epidemic of a Worm which does not have patches at the moment. We recommend you to install this patch to remove worm files and stop email sending, otherwise your account will be blocked. We had archived the patch becouse the worm can modify unpacked exe files. You should open the archive file, enter the password and run the patch immediately.

Customer support center robot.




Commentary:
Yet another email based malware attack is currently hitting inboxes. The emails masquerade as automated service messages from the recipient's Internet Service Provider (ISP). The messages claim that abnormal activity related to an email worm epidemic has been detected and instructs the recipient to install a patch to deal with the problem.

The bogus patch is included in a password protected zip archive attached to the email. The message also provides the password required to access the archive. The "password protection" ruse is apparently designed to make the claims in the message seem more legitimate.

When the user opens the attachment, a rootkit is installed and the malware attempts to connect to a peer-to-peer network. Once connected, it can upload sensitive information from the compromised computer and download other malware components. It will also search for email addresses on the infected machine and send copies of itself to addresses that it finds.

The malware attempts to protect itself by interfering with the normal functioning of anti-virus scanners.

The infected machine ultimately becomes a zombie computer connected to a botnet that can be used to send spam and spread other malware.

The worm is very similar in intent to the Iran Missile Attack worm, which has also been spreading via email.

Malware distributors have often used the "security patch" ruse to try to trick unwary recipients into installing their malicious software. Software companies or ISP's are extremely unlikely to distribute security patches via unsolicited email. Security updates should only be installed via the software vendor's official update facilities. Users should always be very cautious of opening email attachments, including those that claim to be security updates. Users should also ensure that they have up-to-date anti-virus software installed and use an Internet firewall.

References:
Worm spreads in the guise of a Security Update
Malware outbreak 'largest in almost a year'
Iran Missile Strike Worm Emails
Fake Microsoft Security Patch Emails

Last updated: 14th April 2007
First published: 14th April 2007

Write-up by Brett M.Christensen