Skip to content. | Skip to navigation

Personal tools
You are here: Home TBSI Technology Blog Virus "Trojan horse Injector.FP" Slips Through Postini

Virus "Trojan horse Injector.FP" Slips Through Postini

by J. Robert Burgoyne — last modified Sep 01, 2009 10:32 PM

True Blade uses Postini for our email virus and spam filtering. Today's the first time I can recall that Postini has let a virus come through. The email's Subject was: "Western Union transfer is available for withdrawl". Other technical details of the email and the virus are presented below.

 

virus-2009-09-01.jpgToday at 9:56pm I received an email with a virus in an attached zip file. Others are probably receiving the message as well so delete the email if you receive it.

For testing purposes, I uploaded the zip file to a Linux server and unzipped the zip file to look at what was inside. At that point AVG anti-virus was able to immediately identify the .exe file within the email as a virus.

The email came with a .zip file attachment called M2f318a54.zip with file size 28357 bytes.

Inside the zip file was an executable program: M2f318a54.exe, 45056 bytes, and dated Jan 18, 2038. Delete this email if you receive it; do not open this email or forward it to others. Below is the email's header and body.


Return-Path: <commiserationep3@sobmen.ru>
Received: from murder ([unix socket])
         by deleted (Cyrus v2.3.7-Invoca-RPM-2.3.7-8.fc6) with LMTPA;
         Tue, 01 Sep 2009 20:56:17 -0400
X-Sieve: CMU Sieve 2.3
Received: from psmtp.com (exprod8mx279.postini.com [64.18.3.77])
        by tok.trueblade.com (Postfix) with SMTP id 478131818164
        for <deleted>; Tue,  1 Sep 2009 20:56:14 -0400 (EDT)
Received: from source ([173.74.55.173]) by exprod8mx279.postini.com ([64.18.7.10]) with SMTP;
        Wed, 02 Sep 2009 00:56:16 GMT
Received: from 173.74.55.173 by mail.sobmen.ru; Tue, 1 Sep 2009 20:56:09 -0500
Message-ID: <000d01ca2b68$28a0f230$6400a8c0@commiserationep3>
From: "Misty Fournier" <commiserationep3@sobmen.ru>
To: <deleted>
Subject: Western Union transfer is available for withdrawl
Date: Tue, 1 Sep 2009 20:56:09 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----=_NextPart_000_0006_01CA2B68.28A0F230"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-pstn-neptune: 45/43/0.96/77
X-pstn-levels:     (S: 0.06505/99.18051 CV: 0.0000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:9
7.0282 C:98.6951 )

This is a multi-part message in MIME format.

------=_NextPart_000_0006_01CA2B68.28A0F230
Content-Type: text/plain;
        format=flowed;
        charset="iso-8859-1";
        reply-type=original
Content-Transfer-Encoding: 7bit

Hello.

The amount of money transfer: 2111 USD.
Money is available to withdrawl.

You may find the MTCN number and receiver's details in document attached to this email.

Western Union.
Financial Services.

Document Actions