Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WARNING Vodafone MMS email threat


  • Please log in to reply
1 reply to this topic

#1 Welephant

Welephant

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 15 November 2012 - 05:17 AM

This morning I received an innocent looking email from Vodafone Australia informing me I had a picture\video message from an Australian mobile number. Nothing unusual there as I'm located in the UK and friends and family are in OZ. However the mobile number was unknown to me and on checking the attached JPEG Zip file it opens as an exe and invites you to run it.

Having just cleared out some redirection malware I was not going to risk this one so if you receive a message like this and don't recognise the number DO NOT RUN IT.

In an attempt to find who had sent me the picture I called the phone number however according to Voda it is not connected.

Searching the web revealed two items relating to this:

http://www.hotforsecurity.com/blog/malware-infects-uk-vodafone-clients-with-mms-disguise-4335.html

http://www.h-online.com/security/news/item/Malware-disguised-as-an-MMS-message-1743608.html

The first identifies the virus as Trojan Gamarue the second warns that the messages say that a picture message is in the attached "Vodafone_MMS.zip" file. However, once unzipped, it only contains an executable named "Vodafone_MMS.jpg.exe" that will install malware onto a victim's system when launched. According to VirusTotal, the malware is currently only detected by just 8 of 44 anti-virus programs used by the online virus scanner service.
An analysis of the file in a sandbox leaves no doubts about its malicious intentions: among other things, it copies itself to C:\Documents and Settings\All Users\svchost.exe and then hides itself under SunJavaUpdateSched to launch when Windows first boots.

Keep alert and keep safe!

BC AdBot (Login to Remove)

 


#2 Icanhazrootkit

Icanhazrootkit

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 20 November 2012 - 03:51 AM

...if you receive a message like this and don't recognise the number DO NOT RUN IT.


I suggest that even if you DO recognize it, don't open it.
People tend to trust services which they associate with people they trust, and they shouldn't.
The malware author wins the first round of the fight to get his malware onto your system by default when a user ascribes an inappropriate level of trust to something that is not actually their friend, but with which they associate their friend.

My Friend's Service Accounts (email, facebook account, phone number, etc) =/= My Friend.


I also suggest changing Windows folder view options to uncheck the box for "hide extensions for known file types."
The reason is that naming a file CuteKitten.jpg.exe doesn't change the fact that it is still an executable, but if you have that option checked what you will see is CuteKitten.jpg.
With this option checked, what you should see for a real JPG would just be CuteKitten because JPG is also a known file type, but in your mind what you might think you see is a JPG file because the .exe extension is hidden.

Hiding information from yourself in this way leaves you open to that split second between your finger automatically clicking the mouse button to see the picture and your brain saying "AArrgh! NO! that's not a picture"
This is in my opinion a HORRIBLE default file view option.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users