CRIME An Interesting Spyware Scam to watch out for

From: Alan (alan@private)
Date: Sun May 11 2003 - 19:11:39 PDT

  • Next message: Shaun Savage: "Re: CRIME An Interesting Spyware Scam to watch out for" 

    I received an interesting spam in the mail.  It contained a scam that
you might want to be aware of, especially if you have fairly gullible
users on your network.

Here is the text of the spam:


> From - 
> Return-Path: <windowsupdate@private>
> Delivered-To: alan@ctrl-alt-del.com
> Received: from windowsupdatenow.com
> 	(adsl-68-120-92-123.dsl.irvnca.pacbell.net [68.120.92.123]) by
> 	clueserver.org (Postfix) with SMTP id 457062B6C3 for
> 	<alan@ctrl-alt-del.com>; Sun, 11 May 2003 03:53:24 -0700 (PDT)
> Message-ID: <8d6d63abe320$003a31b0$c04fd773@private>
> From: <windowsupdate@private>
> To: <alan@ctrl-alt-del.com>
> Subject: Windows Update Notification
> Date: Mon, 12 May 2003 06:32:11 -1100
> MIME-Version: 1.0
> Content-Type: text/plain; charset="iso-8859-1"
> X-Priority: 1
> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
> X-MSMail-Priority: High
> X-Mailer: Microsoft Outlook Express 5.00.2314.1300
> Content-Transfer-Encoding: quoted-printable
> X-Spam-Status: No, hits=1.4 required=5.0
> 	tests=X_MSMAIL_PRIORITY_HIGH,X_PRIORITY_HIGH,NO_REAL_NAME,LINES_OF_YELLING
> 	version=2.20
> X-Spam-Level: *
> Status:   
> 
> WINDOWS SECURITY WARNING!!
> =20
> A VIRUS HAS BEEN DETECTED ON YOUR COMPUTER. IN ORDER FOR YOUR COMPUTER NOT =
> TO CRASH YOU WILL NEED TO GO TO:
> =20
> http://WWW.WINDOWSUPDATENOW.COM
> =20
> AND IT WILL AUTOMATICALLY UPDATE YOUR COMPUTERS SECURITY PATCHES.
> =20
> SIMPLY TYPE IN http://WWW.WINDOWSUPDATENOW.COM INTO YOUR BROWSER. OTHERWISE=
>  YOU WILL KEEP RECEIVING THIS SECURITY ALERT EMAIL EVERY DAY.

Since I am running Linux, I was not too worried...

I checked out the site and it redirects you to
http://www.quicklaunch.com/perl/detection.pl.

The Linux unaware script attempts to download
http://download.quicklaunch.com/quicklaunch154.cab and install it. 

The program it tries to install is called "Quick Launch Toolbar".  It is
a nasty little bit of Spyware/Adware. There is a good description on
removal at http://www.doxdesk.com/parasite/BrowserAid.html .  

The biggest concern is that it has an "update feature" that can install
arbitrary code on your machine.

Both domains are registered to:

        This Domain Is For Sale joshuathaninvest@private
        ( This Domain is For Sale ) Joshuathan Investments, Inc.
        62 Cleghorn Street
        Belize City, Belize none
        US
        Phone: 501-2-31244
        Fax: 501-2-34222
 

www.windowsupdatenow.com is hosted on wfb.dnsvr.com (65.125.231.178) in
Florida.

www.quicklaunch.com  (66.117.19.206) hosted by nhicolo.com in LA,
California.


-- 
Alan <alan@private>

    This archive was generated by hypermail 2b30 : Sun May 11 2003 - 19:59:27 PDT