12Wonder
January 15th, 2004, 03:13 PM
Got an email today from "do_not_reply@paypal.com", with a Subject line of "PAYPAL.COM NEW YEAR OFFER", with an attachment. The real, hidden headers indicated it really came from a Yahoo address -- there's a real clue something's fishy. :huh:
Below is the body of the message (I converted the email itself, which arrived as an HTML message, to text and looked at the source code instead of the email itself - always the safest bet):
** GREAT NEW YEAR OFFER FROM PAYPAL.COM **
Dear PayPal.com Member,
We here at PayPal.com are pleased to announce that we have a special New Year offer for you! If you currently have an account with PayPal then you will be eligible to receive a terrific prize from PayPal.com for the New Year. For a limited time only PayPal is offering to add 10 percent of the total balance in your PayPal account to your account and all you have to do is register yourself within the next five business days with our application (see attachment)!
If at this time you do not have a PayPal account of your own you can also register yourself with our secure application and get this great New Year bonus! If you fill out the secure form we have provided PayPal will create an account for you (it's free) and you will receive a confirmation e-mail that your account has been created.
That's not all! If you resend this letter (with its attachment) to all of your friends you may be eligible to receive another New Year bonus because the 1000 PayPal members that send the most of these to their friends will get the bonus. If you are one of these 1000 lucky members then PayPal will add 17 percent of your total balance to your account!
Registration is simple. Just unpack the attachment with WinZip, run the application, and follow the instructions we have provided. If you have problems opening the application then you may want to try downloading a free version of WinZip from http://www.winzip.com
Do not miss your chance at this fantastic opportunity! Thousands of our current customers have already received their prizes and now it's your turn; so hurry up and take advantage of this special offer!
Best of luck in the New Year,
PayPal.com Team
The attachment was named "paypal.zip". A scan with Norton showed nothing wrong with it. But anyone with half a brain would be suspicious of something like this. So I quarantined the email and its attachment, carefully but safely unzipped the attachment and surprise surprise the attachment turned out to be a file called "paypal.exe".
Yeah, right, I'm really going to run an executable. :angry: I submitted it to Norton instead.
Here's the general gist of the email I got back from Norton:
result: This file is infected with Download.Trojan
Developer notes:
paypal.exe is non-repairable threat. Please delete this file and replace it if necessary. Please follow the instruction at the end of this email message to install the latest beta definitions.
Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created beta definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest beta definitions.
various versions of Download.Trojan have been around since 2001, but this one's apparently got a brand new twist.
Moral: If it looks like a duck and walks like a duck, even if it squawks like a goose, it may still be a duck.
Anne
Below is the body of the message (I converted the email itself, which arrived as an HTML message, to text and looked at the source code instead of the email itself - always the safest bet):
** GREAT NEW YEAR OFFER FROM PAYPAL.COM **
Dear PayPal.com Member,
We here at PayPal.com are pleased to announce that we have a special New Year offer for you! If you currently have an account with PayPal then you will be eligible to receive a terrific prize from PayPal.com for the New Year. For a limited time only PayPal is offering to add 10 percent of the total balance in your PayPal account to your account and all you have to do is register yourself within the next five business days with our application (see attachment)!
If at this time you do not have a PayPal account of your own you can also register yourself with our secure application and get this great New Year bonus! If you fill out the secure form we have provided PayPal will create an account for you (it's free) and you will receive a confirmation e-mail that your account has been created.
That's not all! If you resend this letter (with its attachment) to all of your friends you may be eligible to receive another New Year bonus because the 1000 PayPal members that send the most of these to their friends will get the bonus. If you are one of these 1000 lucky members then PayPal will add 17 percent of your total balance to your account!
Registration is simple. Just unpack the attachment with WinZip, run the application, and follow the instructions we have provided. If you have problems opening the application then you may want to try downloading a free version of WinZip from http://www.winzip.com
Do not miss your chance at this fantastic opportunity! Thousands of our current customers have already received their prizes and now it's your turn; so hurry up and take advantage of this special offer!
Best of luck in the New Year,
PayPal.com Team
The attachment was named "paypal.zip". A scan with Norton showed nothing wrong with it. But anyone with half a brain would be suspicious of something like this. So I quarantined the email and its attachment, carefully but safely unzipped the attachment and surprise surprise the attachment turned out to be a file called "paypal.exe".
Yeah, right, I'm really going to run an executable. :angry: I submitted it to Norton instead.
Here's the general gist of the email I got back from Norton:
result: This file is infected with Download.Trojan
Developer notes:
paypal.exe is non-repairable threat. Please delete this file and replace it if necessary. Please follow the instruction at the end of this email message to install the latest beta definitions.
Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created beta definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest beta definitions.
various versions of Download.Trojan have been around since 2001, but this one's apparently got a brand new twist.
Moral: If it looks like a duck and walks like a duck, even if it squawks like a goose, it may still be a duck.
Anne