Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | (show all)   Print Thread
Standard User samulam
(committed) Tue 03-Dec-13 20:25:23
Print Post

Is this a virus


[link to this post]
 
I have just received an email purports to come from " RoyalMail" <pmssmee@portalrihannafenty.com> addressed to me with an attachment.
the body of the email is as follows:
The attached message from RoyalMail UK was found to contain the virus "suspect.DoubleExtension-Zipped-15(986cc773bcb.............................).
The infected portion of the message was removed by virus blocker.

Of cource I am wary of this and did not touch it.

Has anybody received such email?
Standard User billford
(elder) Tue 03-Dec-13 20:33:25
Print Post

Re: Is this a virus


[re: samulam] [link to this post]
 
Different "From" address here, was it about "Lost/Missing Package"?

Both my ISP's checkers and my mail client (OS X Mail) reckoned it was spam and I agreed with them both smile

I've had a few like that in the last couple of months, I suppose Christmas is a good time to get people worried about non-deliveries...

Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User Pipexer
(eat-sleep-adslguide) Tue 03-Dec-13 20:36:57
Print Post

Re: Is this a virus


[re: samulam] [link to this post]
 
In reply to a post by samulam:
Is this a virus

Yes.

Zen 8000 Pro


Register (or login) on our website and you will not see this ad.

Standard User ggremlin
(committed) Tue 03-Dec-13 21:02:37
Print Post

Re: Is this a virus


[re: Pipexer] [link to this post]
 
In reply to a post by Pipexer:
In reply to a post by samulam:
Is this a virus

Yes.

technically not a virus, since its not self spreading but definatly 'malware'
- probably the one that encrypts your files and holds them to ransom

reminder to everyone do some backups, and keep them offline
Standard User johnjburness
(eat-sleep-adslguide) Wed 04-Dec-13 08:12:52
Print Post

Re: Is this a virus


[re: samulam] [link to this post]
 
Always ask yourself some basic questions:-

Have you given Royal Mail your email address?

Are you expecting an email from Royal Mail?

If it was from Royal Mail, wouldn't they be using a Royal Mail Address?

Why would Royal Mail be using a Domain registered in Australia, using Name Servers in Brazil & actually is an expired domain?


Once you've answered those questions, I think that your question about the attachment being a virus becomes academic as you DO NOT OPEN IT!!!

Regards,
John
Standard User obroad
(newbie) Wed 04-Dec-13 12:03:47
Print Post

Re: Is this a virus


[re: samulam] [link to this post]
 
Double-extension probably refers to the trick of naming a file something like name.zip.exe or name.pdf.exe so that windows hides the "exe" part making it look like a data file not a program. I know of no legitimate reason to name a file that way so anything in an attachment fitting that pattern can be safely discarded.

Some malware uses a space in place of the first dot in order to get past filters.
Standard User greenglide
(experienced) Wed 04-Dec-13 12:50:35
Print Post

Re: Is this a virus


[re: samulam] [link to this post]
 
I have had a number of these recently which appear to cause the mail server to get very upset and strip most of the content out.

Strangely they have only (so far) been addressed to three different mail addresses that have only ever been used for communication with Santander (and Abbey before them).

I am wondering whether someone has "stolen" the contacts from Santander?

Worried!

BT Infinity 2 - IP profile 77 / 20 - super fast!
Previously BE Unlimited - 21,000 Download 1,200 Upload but then moved house - 6,500 Down, 1Mb/s up - gutted!
Ex <n>ildram , been to SKY MAX - 15,225 Download
Standard User TTEnt
(learned) Wed 04-Dec-13 13:03:23
Print Post

Re: Is this a virus


[re: greenglide] [link to this post]
 
That could be quite possible as I am getting the same thing and only to the address which I use for Santander.
Standard User shinerweb
(newbie) Wed 04-Dec-13 16:12:15
Print Post

Re: Is this a virus


[re: samulam] [link to this post]
 
In reply to a post by samulam:
Has anybody received such email?

How about 15,000+ of them hitting my mail servers today.
Seems to be a rather large run going on at the moment.

Be suspicious of anything sent as an attachment these days.
Companies tend not to send things as attachments unless they have explicitily contacted you beforehand to say such a thing is on the way.

Legit companies will address you by your full name within the body of the email, and usually some obfuscated part of your account number.

If there is no uniquely identifiable information within the BODY of the email, other than your email address (which has been harvested more than likely), then again, the chances are the email is spam.

With regards to the latest Royal Mail malware going round, so far today I've seen at least 40 variants of the same virus. Not all antivirus applications will pick up the attachment as a virus because they simply can't keep up. These days, viruses/malware can mutate multiple times per hour if not minute. (Which is why most good antimalware/virus applications now have 4 hourly updates AND employ real-time cloud based queries).

If ever in doubt and you are actually waiting for an attachment, you can use VirusTotal (at https://www.virustotal.com/) Here you can upload the suspect file (making sure NOT to double click or open it). VirusTotal will check the file against multiple vendors and give you a good indication as to whether something is safe. But again, to stress, even a 0% hit on VirusTotal isn't a concrete indication that a file is completely safe. You may be the unlucky one to receive the brand new version of a virus.

Hence - trust nothing.

Regards

Chris

Standard User PhilipD
(experienced) Wed 04-Dec-13 16:52:18
Print Post

Re: Is this a virus


[re: TTEnt] [link to this post]
 
Hi

Yes definitely a leak via Santander. Two of us here with email addresses only Santander have both receiving the exact same SPAM/Virus messages to those addresses, no other addresses are getting these.

Others have reported it here, this is the first one that kicked it off http://blog.mxlab.eu/2013/11/04/fake-email-with-subj...

Santander have not publicly admitted anything, yet anyway. An email to their phishing reporting email address spelling out very clearly they must have leaked my email address at Santander, not surprisingly, went unanswered.

Regards

Phil

Edited by PhilipD (Wed 04-Dec-13 16:52:57)

Pages in this thread: 1 | 2 | (show all)   Print Thread

Jump to