Malware Presents in This Week's Emails

Unless you have your mail sanitized for spam before you ever see it, you probably noticed a huge reduction in spam over the last 10 days. The shutdown of a major web hosting firm is reported to have resulted in a forty to sixty percent decrease in daily spam.

Two Internet Service Providers cut off the Internet access of a large web hosting company after Washington Post articles reporting that it was being used to control millions of subverted home computers (the so-called "bot nets" — networks of remotely controlled "robot" computers) to send spam and malware.

Despite the big reduction in unsolicited commercial emails, they're still coming — and so are the malware emails. The malaware emails don't attempt to sell you anything — they just want to infect you, capture your personal information and/or put you into their bot network.

Although I often use text-only webmail (specifically, the widely used SquirrelMail offered by my web host) to delete junk emails before they get to my computer, I let a few through to see what shows up.

This week, Vipre told me that I got emails containing Trojan-Spy.Win32.Zbot.gen (risk level: Severe) and Trojan.Win32.Agent.amdk (risk level: High).

The Zbot trojan arrived as an attachment to an email that claimed it had a UPS invoice attached. In order to protect the malware from email scanners, it was in a .zip file.

This Zbot trojan is designed to allow an attacker to remotely control my computer, to allow it to be used for illicit purposes, and to make other changes to my computer. Of course, the initial item (remotely control) says they can do just about anything, so they'll be able to download and install software, too.

The other signicant malware attempted attack was by Trojan.Win32.Agent.amdk. it was an attachment to an email claiming to give me "Activation Keys" for some software. Similarly to the Zbot trojan, the Agent trojan arrived in a .zip file. Unlike the Zbot, the file itself claimed to be a .doc file (Activation Keys.doc).

This .doc file was a trick to take advantage of one of Microsoft's more stupid security blunders (well, maybe not one of the "more stupid," but "a stupid"). Windows XP (and I assume Vista) is set to hide file extensions by default, with the idea that we don't need to worry about that any more. To go with that concept, Microsoft changed XP to be able to open a program based on information contained within the file, regardless of the file extension. This means that the .doc file wasn't necessarily a Word Document or any other kind of document. It was an executable file!

I'm glad I have Sunbelt's Vipre Antivirus+Antispyware watching out for me — and, more so, glad that it's watching over my family's computers.

Copyright © 2008-2009 Terry A. Stockdale. All rights reserved.