US-CERT is aware of public reports of malware spreading via spam. It has been reported that malware is spreading in spam messages related to the upcoming Olympics and to fake CNN news reports. If a user clicks the link to one of these fake news reports they are prompted to install a Flash Player update. If users attempt to install the update, malware may be downloaded and installed onto their system.

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.
• Do not follow unsolicited web links received in email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
  

Relevant Url(s):

• www.us-cert.gov/cas/tips/ST04-014.html
• ww.us-cert.gov/reading_room/emailscams_0905.pdf
  

====
This entry is available at:

• www.us-cert.gov/current/index.html#rise_in_spam_messages_circulating

With so many people cutting back on travel because of the high fuel prices the chance of getting a 'free' airline ticket anywhere will surely entice some percentage of people to open this attachment and get infected. If it sounds too good to be true... you know the saying.

CudaMail is currently blocking these as Trojan.Zbot variation.

- Shaun

US-CERT Current Activity

Airline E-ticket Email Attack

Original release date: July 31, 2008 at 9:15 am Last revised: July 31, 2008 at 9:15 am

US-CERT is aware of public reports indicating that a new email attack is circulating. This attack uses email messages that appear to be from legitimate airlines and contain information about a bogus e-ticket.
These email messages instruct the user to open the attachment to obtain the e-ticket. If a user opens this attachment, a file may be executed to infect the user's system with malicious code.

Reports, including a posting by Sophos, indicate that these messages have the following characteristics. Please note that these attributes may change at any time.

• The subject line "E-Ticket#XXXXXXXXXX"
• An attachment named "eTicket#XXXX.zip"

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:

• Install anti-virus software, and keep its virus signature file up to date.
• Do not open attachments in unsolicited email messages.
•  Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Relevant Url(s):

• www.us-cert.gov/cas/tips/ST04-014.html
• www.sophos.com/security/blog/2008/07/1604.html
• www.us-cert.gov/reading_room/emailscams_0905.pdf

====
This entry is available at

• www.us-cert.gov/current/index.html#airline_e_ticket_email_attack

With the 4 year prison term for Robert Soloway and the Murder/Suicide of Eddie Davidson still fresh in our minds comes the following alert from the US-Cert warning us that the subject of the FBI looking at Facebook is being used to spread a new variation of the Storm Worm. I guess the above two penalties don't phase the authors of the storm worm.

Eddie Davidson fugitive Spammer in Murder-Suicide.

• www.theregister.co.uk/2008/07/25/fugitive_spammer_slays_family/

Soloway given 47 month prison term.

• www.theregister.co.uk/2008/07/23/soloway_sentenced/

- Shaun

---

US-CERT Current Activity

New Storm Worm Activity Spreading

Original release date: July 29, 2008 at 9:41 am Last revised: July 29, 2008 at 9:41 am

US-CERT is aware of public reports of a new Storm Worm Campaign. The latest campaign is centered around messages related to the Federal Bureau of Investigation and Facebook. This Trojan horse virus is spread via an unsolicited email message that contains a link to a malicious website. This website contains a link, that when clicked, may run the executable file "fbi_facebook.exe" to infect the user's system with malicious code.

Reports, including a posting by Sophos, indicate the following email subject lines are being used. Please note that subject lines can change at any time.

• F.B.I. may strike Facebook
• F.B.I. watching us
• The FBI's plan to "profile" Facebook
• The FBI has a new way of tracking Facebook
• F.B.I. are spying on your Facebook profiles
• F.B.I. busts alleged Facebook
• Get Facebook's F.B.I. Files
• Facebook's F.B.I. ties
• F.B.I. watching you
  

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.
• Do not follow unsolicited web links received in email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
  

Relevant Url(s):

• www.us-cert.gov/cas/tips/ST04-014.html
• www.sophos.com/security/blog/2008/07/1599.html
• www.us-cert.gov/reading_room/emailscams_0905.pdf
  

====
This entry is available at:

• www.us-cert.gov/current/index.html#new_storm_worm_activity_spreading
  

Here's the latest email spam campaign that you should know about ...

---

US-CERT Current Activity - U.S. Customs and Border Protection Email Attack

Original release date: July 25, 2008 at 3:09 pm Last revised: July 25, 2008 at 3:09 pm

US-CERT is aware of public reports of an attack circulating via bogus email messages that claim to be from "US Customs Service." The messages may contain the subject line "Parcel requires declaration"
and indicate that a parcel has been received addressed to the recipient of the email. These messages may also encourage users to open an attachment to the message that may contain malicious code.

US-CERT encourages users to do the following to help mitigate the risks:

• Review the alert posted by the U.S. Customs and Border Protection regarding this issue.
  
  
• Do not open attachments contained in unsolicited email messages.
  
  
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
  
  
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
  
  
• Install anti-virus software and keep virus signature files up to date.
  

US-CERT will provide additional information as it becomes available.

Relevant Url(s):

http://www.us-cert.gov/cas/tips/ST04-014.html

http://www.us-cert.gov/reading_room/emailscams_0905.pdf

http://www.customs.gov/xp/cgov/newsroom/alerts/email_virus.xml

====

This entry is available at: http://www.us-cert.gov/current/index.html#u_s_customs_and_border

Over at the Internet Storm Center they have a lengthy and detailed write up on the next stage or evolution of the network of computers that make up the distribution channel for malware that ends up infecting our computers and making them the pawns for the Bot herders. In contrast to how you and I would setup a website on a dedicated web server at a collocation server farm the writers of this particular malware are using your computers to both host the malware content and direct the infection of other computers. What can we do to stop the malware writers? Is there any hope of taking back the streets of the Internet and making them safe for you and I?

First a brief history

When malware writers started using the Internet eons (about 10 human years) ago to write their programs to infect computers they distributed them by getting accounts at 'free' web hosting sites or uploaded the malware as shareware, freeware or even demo ware to great sites like TUCOWS
(http://www.tucows.com/) with a great write up and let people download and infect themselves. This made it pretty easy to figure out where the infection was coming from and by working with the ISP or webmaster get the malware removed from the site. TUCOWS and other download sites also implemented a regular anti-virus scan of all files uploaded so that any malware would be stopped or found before it had a chance to be downloaded by some unsuspecting person unleashing it's payload of destruction. You can see why the malware writers have moved on to different distribution channel as it is easy to chop the head off the infection and stop it in its tracks.

The popular technique for the last while is 'Fast Flux' where an group of infected PC's act as a proxy layer between the web server hosting the malware and the PC's that are going to be infected. This proxy layer is called the 'Fluxnodes'. You will have seen this in the recent 'Storm Worm' spam runs where the e-mail to you consists of a brief subject line and a link to an IP address. When you click on the link in the e-mail your computer connects to the proxy software running on an already infected PC and it then goes out and get's the content, including the malware that will end up infecting your PC, from the real source. This makes it harder to track down the real source of the infection as you now have to try and contact the IT people of the computer in the middle (the proxy) and get them to check their log files to find out where the malware content is really coming from. They may be too busy to respond or they may not even have the logs required to track the source down and meanwhile the 'Storm Worm' or some variation continues to send out millions of e-mail messages getting more PC's infected and adding more pawns to that proxy layer insulating the bot herder from the security professionals that are trying to stop the infection. As hard as it is to coordinate with the IT departments of the infected proxy layer it does happen often enough that the real source of the malware files is found and is shut down. This does not make the bot herders happy as now they have to start building up their bot nets all over again or redirect their proxy pawns to a second source of infected files. This takes time and while this transition is going on the bot network is down and not doing the bidding of the herder thus the evolution of 'Fast Flux' to 'Hydra Flux'.

Hydra Flux is the same basic idea as Fast Flux but with the addition of many heads - like the Lernaean Hydra or many headed serpent in Greek mythology - and just like the ancient snake with many heads you can cut off one of the heads of the modern 'Hydra Flux' without killing the beast. The Proxy layer talks to many sources of infection, the mother ships of the Internet Storm Article, so that if one gets found out and stopped the proxy layer has a backup. This is a very resilient hosting structure and could be called a great example of 'cloud computing'.

So what can we do to stop the infections and take back the internet streets for us 'honest folk'? The first thing we need to do is ensure that we don't settle for setting up our corporate firewall's to the point that they work for both us and the malware writers. Too many firewall's are setup to stop the traffic coming from the Internet to the LAN but allow anything and everything from the LAN to flow to the Internet. If you have a corporate mail server then the mail server should be the only system that has SMTP access to the Internet and you can block all other connections from the LAN to any Internet host on port 25. If the firewall has Universal Plug and Play (UPnP) disable it if at all possible because of the security holes it introduces into your network. Enable the Intrusion Detection of your firewall if it has that capability and use it on the inside of your network.

If you don't have a firewall that can do IDS get one that can or add a transparent gateway device like the Barracuda Web Filter that looks for infected traffic originating on the inside of your network and can both block it and report to you that you have an infection problem so you can take care of it. The Barracuda Web Filter also has the log files that would allow you to track down the real source of the malware helping cut off one of the many heads of the Hydra Flux botnet.  For those of us IT professionals that are called on by family and friends to fix their home computer problems don't allow them to connect to the Internet without a hardware firewall or allow their anti-virus protection to run out. Teach them how to both do and test a reliable backup and then get them to do monthly patches and software updates or do it for them though I believe it is better to education them to do it, why it is important, and check with them on a regular basis to see that they are doing the right thing than get them used to you 'just taking care of things' for them. Ok - you can just take care of Grandma's PC - but still tell her that it is important to play safe on the Internet.

With the evolution of the Fast Flux to the Hydra Flux bot net you can expect the onslaught of spam to continue but with these simple techniques we can make it harder for the bot herders to take over our PC's and not contribute to the problem.

- Shaun

---

More Info:

Hydra Flux

• http://isc.sans.org/diary.html?storyid=4753

Fast Flux

• http://en.wikipedia.org/wiki/Fast_flux   

UPnP

• http://en.wikipedia.org/wiki/Universal_Plug_and_Play

 Just a heads up that the storm worm is up to the same tricks again with a war theme this time.
As always watch out for these kinds of tactics.

- Shaun

---

US-CERT Current Activity: New Storm Worm Variant Spreading

Original release date: July 9, 2008 at 8:48 am Last revised: July 9, 2008 at 8:48 am

US-CERT has received reports of new Storm Worm activity. The latest activity uses messages that refer to the conflict in the Middle East.

This Trojan is spread via unsolicited email messages that contain a link to a malicious website. The website is noted as having the following malicious characteristics which may be used to infect the user's system with malicious code.

• A video that, when opened, may run the executable file "iran_occupation.exe."
• A banner add that, when clicked, may run the executable file "form.exe."
• A hidden iframe linked to "ind.php."
  

Reports, including a posting by Sophos, indicate that the following subject lines are being used. Please note that subject lines can change at any time.

• 20000 US soldiers in Iran
• Iran USA conflict developed into war
• More than 10000 Iranians were murdered
• Negotiations between USA and Iran ended in War
• Occupation of Iran
• Plans for Iran attack began
• The Iran's Leader Mahmoud Ahmadinejad declared Jihad to USA
• The World War III has already begun
• The begining of The World War III
• The military operation in Iran has begun
• The secret war against Iran
• Third War in Iran
• Third World War has begun
• US Army crossed Iran's borders
• US Army invaded Iran
• US army is about 20 kilometers from Tegeran
• US soldiers occupied Iran
• USA attacked Iran
• USA declares war on Iran
• USA occupeid Iran
• USA unleashed war on Iran
• War between USA&Iran
• War with Iran is the reality now
• Washington prefers to shoot first
  

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.
• Do not follow unsolicited web links received in email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
  

---

Relevant Url(s):

http://www.us-cert.gov/cas/tips/ST04-014.html

http://www.sophos.com/security/blog/2008/07/1569.html

http://www.us-cert.gov/reading_room/emailscams_0905.pdf

---

This entry is available at:

www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iQEVAwUBSHS1LXIHljM+H4irAQIHjQf/VmTJlMuebVWbXRIHH5D8xXw6zU5Ma9Yg
t0RqZlMIT7o5ILoNXlDNs9mmoq0fYrQeQz7WkW3hoV/E+H8ip4VX0XeOZerxxpGr
fpSwXaVcmwGxyD8XImelDOOa4fBAVPL6MOr1/40zg8Fc83ZSr6WRzwNoTGZc0OFR
0eyVe3D4hRGHiJSwtgRH79KoD1QjKli1i75R1brn2AiG2N2Z1OC2/03FJbhgo1mO
yIN6LsKCaEzMaUta3kqL0sGhUnzPWcpDbBaz7NlWCBXhs8bq11LAyuQ1iq5fBIDu
OXxJJa1BjNXvBuZBGPpRSLU0h7qSJykc5/6GiVrDgxYp+oHIw9qmcw==
=UYty
-----END PGP SIGNATURE-----

I just wanted to start a thread on some of the tools I have been using to help us (Support@CudaMail.com) manage a cluster of Barracuda Spam Firewall 600's over the last few years. I hope these techniques will help you!

While I have a Windows PC as my daily desktop I have grown fond of lots of the classic *nix utilities such as , sort and uniq and one of the first things I do on a new power pc is to download and install the Cygwin utilities available at:

• www.cygwin.com

(just run the setup and let it do a default install - you can always re-run setup to update or add additional tools)

Once you have Cygwin installed you get a new DOS prompt like shell that is great at working with text file and one thing I do on a fairly regular basis is to look at the inbound / outbound queues especially when they are high and I want to know where all the messages are coming from or going to.

From the Basic / Status page click on the number that corresponds to the in or out queue. This will open a report showing the details on all messages but there is no easy way to sort them so I do a select all and copy the information to the clipboard.

I paste the information into Excel using paste special - plain text and then select all the e-mail addresses in the To: column. I copy them out and paste them into a plain text file called ‘list.txt’ in the C:\cygwin\home\username folder.

In the Cygwin shell issue the following command:

    -o -E \@.+$ list.txt | sort | uniq -c | sort

Let's break this command down:

   -o -E \@.+$ list.txt
 
This command looks through the file 'list.txt' for the section of the e-mail address that starts with the '@' sign and selects everything from the '@' sign to the end of the address. This results in a new list showing just the domain portion of the e-mail address with one entry per original line.

    | sort | uniq -c | sort

Pipe (|) the output of the command through sort to put all the same domain names together then run the output of that command (pipe again) through the uniq command asking it to count (-c) the number of uniq matching entries and then sort that list out from small to large before displaying the list like this sample:

     3 @thousand.com
     5 @ccim.org
     5 @s2.savvyconsumertoday.com
    13 @CUSTOMER.ORG
    27 @www.howtokeep.com
   294 @customer.org

    Voila! I have a list of number of messages per domain in the outbound queue!

So ... how does this help me?

This tells me at a glance that there is something wrong with the mail server for 'customer.com' and that I need to start looking there. This has helped me so much I wish there was a button at the top of each column in the in/out queue that would do the same thing - return a top 10 like list.
 
You can see that this sorts out the upper and lower case variations differently and while I thought that I would like to add in a command to change everything to lowercase first I do find some problems by not changing the case first. I can go back to the Excel spread sheet and find the 13 messages sending to the upper case variation of the customer and check them - this may be a new campaign that I can stop by adding these IP's to the 'IP Block / Accept tab.'

If you do want to combine the UPPER CASE and Lower case variations into one line then you would use the following series of commands.

    grep -o -E \@.+$ list.txt |tr 'A-Z' 'a-z' | sort | uniq -c | sort

Anyone else have a tip like this?

    - Shaun

Which would be more damaging to your business, a few spam messages that get through to your Inbox, or one legitimate business email getting blocked by your spam filter?

We wanted to take a moment to share the following excerpts of an article from yesterday's issue of the Wall Street Journal.  The reporter takes an in-depth look at his company's spam filtering service - Postini, in this case - by sorting through all of the email messages sent directly to his spam folder.  In his search he discovers that of the 192 messages tagged as spam "46% were legitimate messages that had been flagged as spam."  Clearly this is an incredible and unacceptable false positive rate.

This article clearly validates Barracuda Networks' decision to prioritize a low false positive rate over blocking every single spam message. As you know, the Barracuda Spam Firewall has one of the lowest false positive ratings (.01%) of all solutions available today, while still maintaining a very high spam block rate of 95-99%.  With such ratings, chances are very good that customers will see the benefits of both a spam-free Inbox as well as feel confident that no legitimate messages are being blocked.  

The full article is below for your convenience.

---

www.WSJ.com
Wall Street Journal
*Real Message About Spam
June 18, 2008; Page B6*
Lee Gomes

We all hate the idea of doing anything that will end up making us deal with even more email than we have to manage now. But this is one of those situations where what you don't know can hurt you.

Dow Jones, like all big organizations, has been forced to subscribe to an antispam service to keep a firehouse of illicit and offensive mail messages from reaching its employees, reporters included. When the service was first turned on, Outlook inboxes were suddenly free of offers for prescription medicines, mortgage refinances, crude erotica and all the other mainstays of the spam economy. Regular email life could resume -- spam-free. It looked like another victory for technology in the hands of the good guys. If it seemed too good to be true, well, that happens all the time in the tech world.

But after a while, some of my colleagues and I began to wonder where all that spam was going, and whether there was a chance that maybe, just maybe, some of the emails being flagged as spam and sent to an email gulag were actually just innocent communications. (For the longest time, regular access to those files had been blocked by IT policy.)

I asked IT managers for access to what was being caught in our spam filters -- the messages held back in quarantine and not delivered to our inboxes. When access finally was granted to me, and others in the rank and file here, you could hear the gasps from cubicles when we all saw what we had been missing.

The antispam system had been so effective because it had labeled as spam just about everything that was even remotely suspect. It was acting a bit like a police department that, in an effort to curb juvenile delinquency, was hauling in all teenagers without "A" averages.

Naturally, a huge percentage of the emails weren't spam at all. Our freedom from spam had come at a stiff price -- a very high false-positive rate.

How bad was it?

I took a good long look at a few days' worth of messages in my spam bucket. There were 192 in all. Sorting them by hand into "real mail" and "actual spam," I figured that some 46% were legitimate messages that had been flagged as spam. Of these, most were news releases from companies, including VMWare, Dell and Hewlett-Packard. Notices from Purdue University, the Semiconductor Industry Association and Forbes Magazine also were blocked, though maybe that last one wasn't such a bad call after all.

I can live without the occasional news release. But what about when real readers take the time to sit down and write to me? That's a message I want to see.

Alas, of the 150 readers to write about a recent column, 20% were sent to the spam bucket and would never have been seen by me if I hadn't bothered to ask to take a look.

Other reporters who had taken advantage of the more-open access policy had similar tales. One colleague said his spam bucket contained a note from a friend he had assumed was angry with him because he hadn't written. Another found a crucial message from the company's official health-care provider announcing an important change in a health plan.

Spam researchers say this sort of thing is happening all the time at companies everywhere. "Your experience is not at all unique," says David Dagon, who studies spam detection at Georgia Tech. "Antispam technology has become pretty mature in the last few years, but a lot of innovation still has to occur because the problem is so dynamic."

The antispam software at my shop is provided by Postini, and we can assume it's at least as good as anyone else's by virtue of the fact that Google bought Postini last year.

Postini President Scott Petry seemed surprised that so much of my good mail was being flagged as spam. He said the software uses a number of different variables to score a message; those above a certain threshold get tagged as spam.

Those news releases, for example, were being sent from a single mailbox that had been configured in a way similar to the method spammers like to use. And one of the readers who had written to me had mentioned hospitals and charity work. A lot of spam involves charity scams, which is probably why that message got flagged, he said.

Mr. Petry then proceeded to explain aspects of our antispam software that I never knew about and that could be used to shrink the spam net.

Specifically, Postini allows individual users to determine how aggressive its spam's filters should be. By default, our filters had been set to a vigilance level of four on a 1-to-5 setting, with five being the most exclusionary.

It turned out -- and this was news to most of us -- that the spam filter could be set by each user to be as aggressive or as permissive as each of us wished. I could lower the rating, Mr.Petry said, and start to see some of the messages that I had previously been missing.

Of course, I would also start seeing a lot more spam. And here you have the sad truth about the state of the art in spam protection. Set up your software to a low setting and you'll get most of your mail, but lots of spam. Ratchet up the controls and you'll see fewer stock picks, but you might miss the note from a long-lost friend.

Next time someone starts telling you about how smart computers have become, remind them about this situation, will you?

• Email to Lee.Gomes@wsj.com

PDF Flaw Exposes All to Botnet Attempts

Adobe revealed that a flaw exists even in fully up-to-date versions of Adobe Reader 8.1.2 that 'could potentially allow an attacker to take control of the affected system' This is similar to other bugs that have been utilized recently by the "Bot Herders" to take over Millions of PC's to add to their herds to later be used to send spam to you and your friends.

---

Adobe's bulletin and service patch:

http://www.adobe.com/support/security/bulletins/apsb08-15.html   

SANS Internet Storm Center (ISC) recommends that you update sooner rather than later.

http://isc.sans.org/diary.html?storyid=4616

---

While the SANS article mentions that the vulnerability will soon appear on a malware spreading website we at CudaMail expect the "Bot Herders" to start sending millions of messages with links to these malware sites and to use 'social engineering' to get you to interested enough to click on this unsolicited link.

So what can you do to protect yourself?

Update all your programs on a regular basis. Make sure you have a tested backup of all your important information for when - not if - you get infected and have to format and re-install your operating system (the only way to be 100% sure that you don't have a nasty infection) and don't click on links you are unsure about the origins of.

What else can we do as an anti-spam service to protect you?

While we do watch for outbreaks like this closely and will be blocking any messages that have links to known infected sites we always have to be careful to not step over the line and start blocking legitimate links. We could easily write a rule that blocks any PDF file or even any link to any PDF file but this format is used by billions of people to send all sorts of legitimate information every day and so we can't do that except in the case of a major outbreak and then for only a very short while.

So here is a question to you, our dear readers:

Would you prefer to have 100% protection from a new malware outbreak like we expect even if some legitimate messages may be blocked or would you like all your legitimate e-mail's to come through even if a few malware links also come through?

At CudaMail we have a third option - the per-user quarantine - where we can send every messages with a PDF attachment or a link to a PDF into your personal quarantine area. This would require that you take the effort to check this quarantine area and deliberately release the wanted PDF's. Is that a viable option for you?

We want to hear from you!
      
- Shaun

The US-Cert is warning people about a new storm worm surge that is taking advantage of peoples interest in what is happening in China with both the recent earthquake and the Olympics foremost on people's minds.

Of all the messages processed recently by CudaMail with the words 'China' or 'Olympics' in the subject line we were able to block, quarantine or tag this new spam surge with only a handful of them getting through to our customers. This was while at the same time allowing the legitimate messages through as some of our customers do a brisk business with partners in China and will not stand for false positives.

 
The warning from US-Cert is included below so you can see some of the variations of subject lines that are being used but this is not a complete list as the storm worm continues to change the subject line and links to try and evade the anti-spam measures in place such as CudaMail.

 - Shaun

US-CERT Current Activity

New Storm Worm Variant Spreading

Original release date: June 19, 2008 at 11:23 am Last revised: June 19, 2008 at 11:23 am

US-CERT has received reports of new Storm Worm related activity. The latest activity is centered around messages related to the recent earthquake in China and the upcoming Olympic Games. This Trojan is spread via an unsolicited email message that contains a link to a malicious website. This website contains a video that when opened may run the executable file "beijing.exe" to infect the user's system with malicious code.

Subject lines can change at any time, but the following subject lines are noted as being used:

  * The most powerful quake hits China

  * Countless victims of earthquake in China

  * Death toll in China is growing

  * Recent earthquake in china took a heavy toll

  * Recent china earthquake kills million

  * China is paralyzed by new earthquake

  * Death toll in China exceeds 1000000

  * A new powerful disaster in China

  * A new deadly catastrophe in China

  * 2008 Olympic Games are under the threat

  * China's most deadly earthquake

US-CERT encourages users and administrators to take the following preventative measures to mitgate the security risks:

  * Install anti-virus software, and keep its virus signature files up-to-date.

  * Do not follow unsolicited web links received in email messages.

  * Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.

  * Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

US-CERT reminds users to beware of future phishing attacks that may target natural disasters and the Olympic Games.

Relevant Url(s):
http://www.us-cert.gov/cas/tips/ST04-014.html

http://www.us-cert.gov/reading_room/emailscams_0905.pdf

 ==== This entry is available at

http://www.us-cert.gov/current/index.html#new_storm_worm_variant_spreads2