![Welcome to Orange Frog Productions Scams, Shams & Flim-Flams Section [Banner]](images/ssff/ofp_banner_ssff.jpg)
Malware Email Example #008 (Order Confirmation number: Z3566043)
Please be sure to read my Malware Home Page
NOTE: This page Under Construction/Conversion
This page has not been completely converted to OFPv2 Standards.
When this is completed, this paragraph will go away.
Meanwhile, all external links on this page open a new window.
Things I Did, Below
I, personally, receive email in HTML format. The following was received (and looked) like I received it.
- I removed my email addresses. These came to various accounts and some no longer exist. There are places on this site you can get hold of me if you wish or need to. They are protected from spambots using JavaScript, but all you have to do is click on them.
- All scammer and related email addresses, and any actual website links have been changed, at least putting spaces into them. They appear as underlined blue links, though they aren't.
- Any notes I added in the actual letter are in square brackets ("[" "]"), are bold, red in color, and highlighted. If what I found "behind the links" (email or website) are different than what was displayed, I will include them in this type of note.
- All spelling, spacing, line-wrapping, and punctuation errors are the ones that appeared in the original received email. (I may or may not analyze some or all of these.)
Malware Email Example
008
Received 08/15/2006
Dear Customer,
Thank you for shopping at our shop !
This e-mail is to inform you that your order has been
shipped out.
The following information is for your reference (see
details in the attachment):
* Order No.: Z3566043
* Order Date: 08/13/2006
------------------------------
SUBTOTAL : $1,769.99
SALESTAX : $0.00
SHIPPING : $16.81
TOTAL : $1,786.80
------------------------------
* Ship Via: FDX Overnight Delivery
[Ship Date :] 08/14/2006 [Tracking No:] 708745655472
Please note that if your order includes more than one
package, the
packages may not be delivered at the same time due to
the shipping carrier's
schedule and the delivery method, and this is out of our
control.
In addition, backordered items will be shipped
separately.
You may check the status of your package's progress at
our website.
Simply click on "Customer Service", then log into the
"Member Center".
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Customers who leave comments for us at either
ResellerRatings.com or
Pricegrabber will be eligible to receive a flash drive
or other
cool prize! FOUR drawings will take place every month --
one drawing
from each review site on the 1st and the 15th of every
calendar month.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Thank you for shopping with us!
15% restocking fee applies to all refunds. All products
must be
returned in like-new condition, including original
packaging and
all documentation and accessories. Charges will be
applied for all
missing accessories or parts.
Our shop will not accept items that have been physically
damaged or
misused. Return periods for different product categories
range from
zero to 30 days.
[I left names, email addresses, and phone numbers (except my sister's) in here for the search engines to find. DO NOT TRY TO CONTACT THEM! They sent a virus! -LE]
Example Email 008 Headers
08/15/2006
X-SID-PRA: info @ amazon.com
X-SID-Result: Neutral
X-Message-Info: LsUYwwHHNt3QO7smnk4cJmiqHA478MuF+O4goCRDy1w=
Received: from 85-56-131-8.ali1.adsl.uni2.es ([85.56.131.8]) by bay0-mc11-f16.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Tue, 15 Aug 2006 13:34:28 -0700
Date: Tue, 15 Aug 2006 20:28:19 -0100
From: info @ amazon.com
X-Priority: 3 (Normal)
Message-ID: <mere.tristate @ quintanaroo.com>
To: jeffereytrevino71 @ hotmail.com
Subject: Order Confirmation number: Z3566043
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------EE781142F14447C"
Return-Path: info @ amazon.com
X-OriginalArrivalTime: 15 Aug 2006 20:34:29.0133 (UTC) FILETIME=[34E983D0:01C6C0AA]
Notes
This looks a lot like the Vaio Order email.
Because there was an executable attachment, I forwarded this to my POP3 email address from one of my hotmail addresses to make sure the attachment was clean. (My virus scanner covers incoming and outgoing messages.)
On it's reception, the subject text was changed to:
[WARNING: VIRUS REMOVED] Fw: Order Confirmation number: Z3566043
and the attachment was replaced with a small txt file named "Removed Attachment.txt (114 bytes) that read:
This attachment contained a virus and was stripped.
Filename: Z3566043.zip
Content-Type: application/x-zip-compressed
Virus(es): Troj/Haxdoor-DA
Something to think about:
A .zip file is normally used to compress a file. Text files, while they contain white-space that can be compressed, are not very large, especially single-page files. Even a PDF version of a single-page text file will be quite small. Why would any company need to do compress them?
As is stated on this site and many others
"If you don't know the person from whom you've received an email, DO NOT OPEN ANY ATTACHMENTS." and be VERY careful if you DO know from whom it came. (THEY could have a virus sending itself around.)
Send comments/questions about this page to Bill Sanders at:
Go to Malware
(Viruses, Adware, Spyware) Home page
Go to Malware Examples Home Page
Go to NEXT
Malware Example Page (last in sequence is not a link)
Send email to Bill Sanders
()
with questions or comments about this page or site.
This site, all text and graphics (unless otherwise noted) on it
were designed, developed and published by Bill Sanders of Orange Frog Productions.
It and it's CSS was validated and complies with both the:
CSS and
HTML 4.01
validators from W3C.
NOTE: All CSS validates except the "New Window Buttons"
which include some invalid code (ie: hacks),
added PicoSearch Tables,
and warnings for using transparent backgrounds when color foregrounds defined.
Copyright © 2003, 2004, 2005, 2006, 2007 by Bill Sanders / Full site last modified: October 21, 2006
Any reproduction, printing, or selling of this content is
prohibited without express written consent from William D.
Sanders.
