Please be sure to read my Malware Home Page

Things I Did, Below

I, personally, receive email in HTML format. The following was received (and looked) like I received it.

• I removed my email addresses. These came to various accounts and some no longer exist. There are places on this site you can get hold of me if you wish or need to. They are protected from spambots using JavaScript, but all you have to do is click on them.
• All scammer and related email addresses, and any actual website links have been changed, at least putting spaces into them. They appear as underlined blue links, though they aren't.
• Any notes I added in the actual letter are in square brackets ("[" "]"), are bold, red in color, and highlighted. If what I found "behind the links" (email or website) are different than what was displayed, I will include them in this type of note.
• All spelling, spacing, line-wrapping, and punctuation errors are the ones that appeared in the original received email. (I may or may not analyze some or all of these.)

Malware Email Example 005
Received 11/01/2006 (a); 11/07/2006 (b); 11/25/2006 (c)

I received this email from two separate emailers, about a week apart, then another copy about three weeks later, all with the same content.

[a]

[b]

[c]

[content of all three of the above]

This email included an attached file, "37679041.pdf.zip (24.7 KB) [a] (24.8 KB) [b]", "37679041.pdf.exe (19.6 KB) [c] which is a "double-extension" file. Remember, the outer extension is used to chose the program to run.

The line that says it's a "self-extracting archive" is patently wrong for [a] and [b]. Any of those from WinZip that I've seen are executables (.exe). I know, because I've tried to send pictures to family that way, and they've been rejected because they ARE executables! As for the one from [c], since I'd already received the others, I KNEW what this was.

Example Email 005a Headers
11/01/2006

If you're not interested in the technical aspect of the headers, skip to Example 005 Notes

Example Email 005b Headers
11/07/2006

Example Email 005c Headers
11/25/2006

Notes

• Ok... This is as ugly as the Microsoft spoof ... with the same type of results - I get a virus/worm if I open the attachment!
• Here's a trick... The TO email address of the first one is bigwillp @ hotmail.com. I DO have a hotmail address that starts with "big", but the address to which this email came was NOT that one. Even so, I didn't really pay much attention to it until I expanded the email to see the name of the attached file.

• The other two TO: email addresses are totally unknown to me.

  Guess I need to add the rule:

  NEVER OPEN ATTACHMENTS ON AN EMAIL THAT DOESN'T HAVE YOUR ADDRESS ON IT!

  You may ask, "Why would I?" Well ...

  1. Maybe the correct address is in the attachment. (No... The email is SENT to an address, and if it's not yours, yours was in the BCC or we're talking about a mailing list.
  2. Curiosity (Well, remember the old saying, "Curiosity killed the cat," or in this case, your computer!)
  3. Criminal mentality - There might be something worth something in it. (Kinda like #2, huh? Also, thinking you might be receiving something in error, that someone else paid for. Uh... Wouldn't that be "receiving stolen goods?" Think about that one.)

   

• There should be little reason to Zip a single-page (ostensibly small) receipt, and I know of no shopping site that does so. The text of the email is enough. Even then, there should/would NOT be a "double-extension" on it.
• NOTE: Many of the sites, listed below, have different file extensions. Mine was a "double-extension". Theirs were singles. DO NOT OPEN THE ATTACHED FILE!

Since I have been receiving emails with attachments, like this one, fairly regularly, the first thing I did was, Google for the name (not the extensions) of the file: "37679041", and found a few links where the email was discussed. While my email did not come from a "known" (to me) website, others have received the same email (the product and amounts may change) saying it's from WalMart, Circuit City, Best Buy, etc. Here are a few of them:

• CastleCops :: View topic - Suspect zip attachement spoofed Circuit City sender
• Malware being spammed as PDF from retail stores | Spyware Confidential | ZDNet.com (Quotes the CastleCops' article.)
• Computing Main | Bryn Mawr College Computing
• OSU - IT Announcements Alerts
• Help Desk News and Notes: Fake Email from Best Buy
• Best Buy News Center: Statement: Best Buy Responds to October Consumer Phishing Incident
• Fraud Alert
• Spam Mail With 'Vaio' Order Distributes Malware - SPAMfighter

 

---

Send comments/questions about this page to Bill Sanders at:

Go to Malware (Viruses, Adware, Spyware) Home page
Go to Malware Examples Home Page
Go to NEXT Malware Example Page (last in sequence is not a link)

Send email to Bill Sanders ()
with questions or comments about this page or site.

This site, all text and graphics (unless otherwise noted) on it
were designed, developed and published by Bill Sanders of Orange Frog Productions.
It and it's CSS was validated and complies with both the: CSS and HTML 4.01 validators from W3C.
NOTE: All CSS validates except the "New Window Buttons" which include some invalid code (ie: hacks),
added PicoSearch Tables, and warnings for using transparent backgrounds when color foregrounds defined.
Copyright © 2003, 2004, 2005, 2006, 2007 by Bill Sanders / Full site last modified: October 21, 2006
Any reproduction, printing, or selling of this content is prohibited without express written consent from William D. Sanders.