** Warning - World Pay email with zip attched **

blastman

blastman

blastman

Associate
Joined
8 Mar 2007
Posts
2,176
Location
between here and there
hey all,

We (at work) seem to have been hit with a virus/key logger today.

We received loads for emails (details below) from loads of different address.

Code: 
Subject: WorldPay CARD transaction Confirmation

Thank you!

Your transaction has been processed by WorldPay, on behalf of Amazon Inc.
The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Amazon Inc has received your order,
and will inform you about delivery.
Sincerely,
Amazon Team

This confirmation only indicates that your transaction has been processed successfully. 
It does not indicate that your order has been accepted. 
It is the responsibility of Amazon Inc to confirm that your order has been accepted, and to deliver any goods or services you have ordered.

When the zip file is run it seems to install a key logger that is trying to gain access to a Russian server on 91.2?1.108.

Symantec corp 10.2 doesn't pick it up with latest def, endpoint will show an alert when the email comes in but can't clear the key logger it's self.

A bit of research shows that it installs a rootkit which hides all the files it installs.

we have in total about 10 machines infected and we're struggling to remove.

Thought I'd give a 'heads up' in case anyone else sees this mail come round.

btw, if anyone can help with the removal, I'd be very grateful!!!

:)
 
apparently its spyware..

The malware is known as Trojan-Spy:W32/Zbot.OSK (F-Secure), Trojan-Spy.Win32.Zbot.sot (Kaspersky), PWS:Win32/Zbot.M (Microsoft) or Mal/EncPk-HZ (Sophos).
Click to expand...

get a spyware scanner such as spybot installed
 
Have you not got a mail server with anti-malware (virus, spam, etc) blocker on it?

Might be a small company and so doesn't need one, in which case I appologise in advance.
 
Ucof said:
Have you not got a mail server with anti-malware (virus, spam, etc) blocker on it?

Might be a small company and so doesn't need one, in which case I appologise in advance.
Click to expand...


this is the problem.

We do a mail server sat in our DMZ with a spam/anti-malware blocker on it.

Yet it still got through!
 
not sure. I'm not privy to that sort of information as it's all held and managed by our other site (head office)

I'm just the network admin. :(
 
IAmATeaf said:
So how did it manage to install anything? Surely restricted users will be denied perms to install software?
Click to expand...

you would have thought so but it happened.

Anyways, I managed to get rid. I found a cool app called GMER which will show files hidden by an installed rootkit.

Managed to remove the files and directory, booted the machine up, watched the filewall to see what it was trying to access on the net and jobs a good'un.

Yeah baby!! :D
 
blastman said:
Symantec corp 10.2 doesn't pick it up with latest def...
Click to expand...

Why does this not suprise me?
Can't honestly beleive that any large company/corporation would ever invest in that bucket of tripe.

Tell them to get NOD32 or Trend Micro OfficeScan (what my work uses.. multi billion £ company and so far we've not had any problems with anything such as this.)

Also try uploading the virus to virustotal, something will pick up on a keylogger out the list of scanners, you should be able to get a codename for the virus and hopefully google it to find someone who has had the same/similar problem.

In the end 50% of security flaws lies in the user(s) not being careful.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom