STORM2K

Hi all.
I got an email that appeared to have came from the webmaster of my isp this morning(Surewest) and in the email subject it said "account suspended". I read the message body and it said, "account suspended due to security reasons". and in the body of the email it said document.zip (infected file), and then underneath it "document.zip (cleaned). The email said please open the document for further details. Also, in the body of the email it said something like "profile needs to be updated". Anyway, I didn't call "surewest" because I can never get through(huge hold times), but my account is obviously not suspended. I deleted the email. Anyway, does this sound like a virus?? Just wanted some opinions.
Another fishy part of it is that the "from" address said "webmaster@surewest.net". That sounded awfully generic to me.

Thanks!

It might be a virus but it sounds more like a phishing scam. I would report it to your ISP by email with all the headers as abuse.

Yesterday, I got an e-mail saying that my services on yahoo! are coming to an end with an attachment titled "account_info.zip".

They probably want your personal info, so delete 'em.

I got the same thing over the weekend from my provider-bellsouth.net. I called them and they said they hadn't sent me anything. So to play it safe i deleted and did a recovery on my computer back to a safe point. I am not sure it will help, but I figure it was worth a shot.

Debbie

Here is a Copy of the email I sent at work to all my users, I am the Network Security Admin at work.


** IMPORTANT**

I have received 3 E-mail's in the last week from admin@ftwha.org, service@ftwha.org, and mail@ftwha.org all containing a Zip attachment or a URL link with my ftwha.org E-mail address in it. These E-mails claim Notice of account limitation, Important Notification or Your Account is Suspended For Security Reasons. DO NOT OPEN THESE ATTACHMENTS!!!! or CLICK ON THE URL LINK!!!! They may contain a virus that has been passed thru our virus protection system. E-mail viruses have been made to go undetected by virus scanning software and hackers are using them more often to steal your identity by hacking your hard drive or to crash your PC.

Here is a copy of one of the e-mail's I received.

Dear Valued Member,

According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons.

A URL link would show here with your email address listed
Thank you for your attention to this question. We apologize for any inconvenience.

Sincerely,Ftwha Security Department Assistant.
The other E-mail's look like this with the attachment....

ª¤åÅu‰|NKæÌ®·‡ ž»Xt`ÜÊaÓ×ÎRq}e(QyÕ￾UYÁf&JÙ³7¦ýeÄR?Ã<t“Ñø‹¾è®X·ÍæVû ùå²ë”¨×KkƨKç3wzÒ÷B2…Êq…›•I-šDô©®HSó5†÷÷¢_6íCŠ u¤\-0ßÄHJtIÃ<4þ´Çv›™8￾ý){￾“„ÑÓÆ-Åy;ºiû{UÕ\￾Ecv¨½iŒÔbXqš½N”Û‘:íU¤vÝó¡ŽCצœœß¶‡aþþd]^Š™žDÞÎOÙNÂÅ$>DÀÝGùi³l
5¡Ï˜Þ-Åoµ™†Æ
c%²òF×mûq¯aáD0‰￾¨Z¤Í˜]2ý´ùçá¦S?-S^_Þ￾RÝ(„ú)íhO‡qwÁ,„³,Ls
û1Àeyñö/¦Ó:Œ`ÖÀ#6*R￾p￾.²Œ§ò8ý_‘úé_PMm
-[Ü-w«³®gCÝ’àÍF«±.ÂøêNgjùÄl>c￾fö/jñ ^„Gaêõ¾spw~í1ÛÏ0Ј8Õž!×wUd¾³Ðgtù!ÓtWv‰bSú·‹DBCð#!L-È
ËM;ßþ|“ópC´jù°†J
ï®òuL'·Z¶e¥±ó5X¹%tüê“ÌùyƪöRÓã A!wï›úFŽ/Õ(2Êù*Ü)Îxq<I帹Uìþ›ïÍG}4_ÌÇŽqí*￾¿&…ë’ÞïûÆš‡ØøD}ΪíðCHÛ3ì,·±THUsÔ‹w￾:äTvC‘6w
Æ,ù”yÍ-¤ØíuŒèrÑ_ï#…¥Ù†íù}â:-EqîÆ­äa}ÉÜ¿½qiÕD”,•¬PéÙLº‡_?ß]<NéhzÁž‘ ƒ￾aoº__M†„?0Ò»›É%t†ÅúsÃßOR¯ÚõÎÌ"ÂïE‰￾"￾H¥éP¨Ó_šô•aêP¦ÝÌÕìÔKRâ¡z(ÞG)«¸á†ó#e3cNk´qI•u4±Ä;!Ö‚©0{|hGj2»¤íÝ.­úlXΪ`XP¥Q[™ÐÒá¤5ÖU.‹øwJQÑö{1eL\ž¸ÙtȽ袪tduLR§WîºZ¡:&©»'ÑäËM#ØÛé¯Nôô™%_KÚ¯UtèÏ؈/¶œ·￾n‹ÀÕQ¼ür¢g4°øÂ4KÝ[A»Éƒß!?ô³ÀÂW×Ëì￾
éZRg°ˆ?nÚ7%9ùêiê>Gþ¿a‹¸pI„`yË6“·ü&¿;†Ñ©É($é\2¢Ÿ~ãqQsPÄ6￾®TÈ-DÇ9Hý!ÑiÀàîj?Q”†œzêjüç,×yi P|B›±"É㪼ç3?Oš¹GäÚMxÁÂ7h‰9W*￾®3Ó³Ôl·‡
͈îå6ù"Fèï¶o±mKLBAaâÆê'­‚ã…RuZrŠ(#a¤µ

I have gotten similar from "Yahoo" recently. I know better and it went in the trash immediately. Wonder of wonders, my Yahoo account is still up and running with no problems.

You have to think, espcially if it deals with an ISP: Why would they use e-mail to notify me of this if my account has been suspended? Just a thought.

I would think all services would call/snail-mail for situations like this.

It sounds like a virus to me

Yep that had virus written all over it

ConvergenceZone wrote:Hi all.
I got an email that appeared to have came from the webmaster of my isp this morning(Surewest) and in the email subject it said "account suspended". I read the message body and it said, "account suspended due to security reasons". and in the body of the email it said document.zip (infected file), and then underneath it "document.zip (cleaned). The email said please open the document for further details. Also, in the body of the email it said something like "profile needs to be updated". Anyway, I didn't call "surewest" because I can never get through(huge hold times), but my account is obviously not suspended. I deleted the email. Anyway, does this sound like a virus?? Just wanted some opinions.
Another fishy part of it is that the "from" address said "webmaster@surewest.net". That sounded awfully generic to me.

Thanks!

You can read more about that particular worm you received here (a little Google goes a long way)

http://securityresponse.symantec.com/av ... im@mm.html

Scroll (way) down to item 15 to see that it often spoofs as coming from webmaster of an ISP and uses the "account suspended for security reasons," among other things, as a way to get you to open the attachments.

# Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

From:
One of the following:

* accounts
* admin
* administrator
* info
* mail
* register
* service
* support
* webmaster

The worm may also spoof a From address from one of the addresses found on the compromised computer.

Subject:
One of the following:

* Notice of account limitation
* Email Account Suspension
* Security measures
* You are banned!!!
* We have suspended your account
* Members Support
* Important Notification
* Warning Message: Your services near to be closed.
* Your Account is Suspended For Security Reasons
* *DETECTED* Online User Violation
* *WARNING* Your email account is suspended
* Your Account is Suspended

Message:
One of the following:

* Dear [DOMAIN] Member,
We have temporarily [REMOVED] Support Team
=======================
* Dear [DOMAIN] Member,
Your e-mail acc [REMOVED] Team
=============================
* Some information about your [DOMAIN] account is attached.
The [DOMAIN] Support Team
=============================

Where [DOMAIN] is the domain part of the recipient's email address and [EMAIL] is the recipient's email address.


Attachment:
One of the following:

* account-details.zip
* account-info.zip
* account-report.zip
* document.zip
* email-details.zip
* important-details.zip
* information.zip
* readme.zip

The attached zip file contains the file:

[ZIP FILENAME].[1ST EXTENSION][MANY SPACES].[2ND EXTENSION]

Note:
* [ZIP FILENAME] is the name of the attached zip file
* [1ST EXTENSION] is one of the following:
1. doc
2. htm
3. tmp
4. txt
* [2ND EXTENSION] is one of the following:
1. bat
2. cmd
3. exe
4. pif
5. scr

Thanx all! Wow, those examples you provided look like carbon copies of what I got. Just wanted to make sure. Downloading AVG Virus Protection as we speak.

I get alot of spoof emails claiming to be from ebay or paypal. It asks you to click on a link which takes you to an official-looking ebay page and it asks you to fill in your information.

I always reply back, with a cc to spoof@ebay.com

Once in a while I'll type in useless information in the fields, or cute little "messages" instead of my address, etc.

ebay usually sends an acknowledgement thanking me for reporting it.

Sounds like a phish email trying to get info on you. I get a lot of those from ebay and paypal trying to get info. Just delete it and don't answer it.