Numerous cases of email masquerade have occurred, normally disguising the sender as someone you know or trust. Such emails normally contains attachments with infectious worm/virus codes or are simply scams or spam mails.
To lure the user to activate the infection or to send back useful information, these masquerading emails even offer tempting reasons to click on a link that would start the infection, for example:
|"If the message will not displayed automatically, follow the link to read the delivered message."|
New and unweary users may get curious and click on the link to check it out.
Presented below are some useful information, to create a greater awareness of masquerading emails and reduce the number of incidence of infection:
- News on Worms/Scam/Spam
- News on Scams and Spam emails
- Checking for Infection
- My Computer is infected !
- Quickfix to Stop this worm
- Help from Power Users
Posted on 20-Jan-2004
Webmaster, Newlook Marketing
Caution to all registered PayPal members: a mass-mailing worm W32.Mimail.I@mm has been masquerading PayPal.com under the email firstname.lastname@example.org.
The email message:
Subject: your account obpocosa
I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.
Best regards, Administrator
DO NOT OPEN the attachment 1.txt (the attachment name may differ). Of course, the email is not from us. The infected email is from a user who has our email address in their address book.
Read on below on how to handle an infection. Get a free removal tool to clean the infections of W32.Mimail.I@mm, developed by Symantec Security Response.
Posted on 2-Dec-2003
Webmaster, Newlook Marketing
Caution to all registered PayPal members: a mass-mailing worm W32.Mimail.I@mm virus has been masquerading PayPal.com under the email email@example.com.
The email message:
|From: PayPal.com <firstname.lastname@example.org>|
To: Sherisse <email@example.com>
Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES
Dear PayPal member,
PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with the email address
will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information.
We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure.
IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received.
Thank you for using PayPal.
DO NOT OPEN the attachment www.paypal.com.scr (some computer may show the attachment name as www.paypal.com). Do not response to the email.
W32.Mimail.I@mm is a mass-mailing worm that attempts to steal credit card information. The worm displays a form that asks the user to enter their credit card information.
Read on below on how to handle an infection.
Get a free removal tool to clean the infections of W32.Mimail.I@mm, developed by Symantec Security Response.
Posted on 27-Apr-2003 Singapore time
Webmaster, Newlook Marketing
A mass-mailing worm W32/Ganda.A@mm has been masquerading us (Newlook Marketing) under the user email firstname.lastname@example.org. We became aware of this after we received several rejected emails indicating the users are non-existent. We have sought SingNet Network Security Team for help.
A quick guideline:
|Do not open any mails containing .SCR (screen savers) attachments.|
Users using web-based email are probably safe from this worm.
Checking for Infection
To check if you are infected by this virus, try the following steps:
- If you have an anti-virus software installed, it is recommended that you update the latest virus definition file and scan the whole computer for possible virus infection.
- Download a free virus scanning program from Symantec to check for any infection at http://security.symantec.com/ssc/lunavbrk.asp. A security warning about installing Symantec Security Check Utilities will appear; click Yes to proceed.
- This 1.5Mb scanning program takes about 10 minutes for a 28.8Kbps modem to download.
- The warning will appear several times during the download; click Yes to proceed.
- After the downloading has completed, the program will automatically starts to scan your
harddisk for known viruses and Trojan horse.
- This program will not examine compressed files and will not fix files it finds to be infected.
- Please note that no personal or computer-specific information is submitted to Symantec during or after the scan. You will be given the option to submit the anonymous scan results to Symantec.
Cleaning of "about:blank" Browser Hijacker. When you launch the Internet Explorer, does the URL keep going to 'about:blank' and the browser shows links or popup windows of V*iagra or p*orn site? Here's a fix to remove the offending program.
What is IP Address?
IP (Internet Protocol) address serves as a unique identifier when you connects to the Internet. It is a 32-bit numeric address written as four numbers separated by periods. For example, 18.104.22.168 could be an IP address.
IP address are assigned by 4 regional Internet registries -- ARIN, LACNIC, RIPE NCC and APNIC.
Your IP address normally is different everytime you connect as a new session onto the Internet (via your ISP). The IP address for broadband users may be static (fixed), depending on your ISP.
For the current connection, your IP address is:
If you are using a router/proxy, then this IP address may not be correct.
Although the worm has 'masqueraded' the email address, it cannot do likewise to the IP address, which is the true IP address of the sender infected with the worm. If the email IP address matches yours, then you could be that infected sender; this may not be true for modem users where the IP is shared and reused by other users.
What is the email IP address. To know the IP address:
- Outlook Express: Right-click the email, select Properties, Details, Message Source.... The first line showing "Received: from ..." contains the IP address of the sender.
- Microsoft Outlook: Open the email, click File, Properties, Internet. The first line "Received: from ..." contains the IP address of the sender.
My Computer is infected !
- If your computer has been found to be infected, please submit your scan results to Symantec
to help to stop the spread of the virus.
- For power users, we need your help to stop this worm from spreading further. Please refer to the section Help from Power User below.
- If you have an anti-virus software installed, update the latest virus definition file to clean the infected files and programs.
- If you do not have an anti-virus software installed, you may want to try our quick-fix guidelines to stop the worm from spreading further.
Quickfix to Stop this worm
Please take note that the following guidelines are provided by Newlook Marketing merely as a quick-fix for users without any anti-virus software, to temporary stop the worm from spreading further. Try it at your own risk. Novice users are adviced not to attempt this procedure.
Guidelines for Windows 95/98/2000/NT users are as follows; please follow the steps closely:
- Stop the Internet connection. Switch off your modem (either external dialup or broadband) or pull out the phone cable from your internal modem.
- Launch you email client program.
- Highlight all emails from email@example.com (or any other emails) with .scr attachment and has the subject line matching one of the worm's subject lines listed above. Hold down the <Shift> key and press the <Del> key to remove them permanently.
- Close your email program.
- At the Windows taskbar (bottom of screen), click Start, Run... and type in REGEDIT. Click OK.
- Expand by clicking the symbol for the following lines in sequence:
- Click the line Run from the pane on the right, right-click the line that shows either
and select Delete.
Note: This deletion step is specifically for W32/Ganda.A@mm worm only. For other worms/virus, the filename would be different. Do not delete scandisk.exe if you are not sure of the name of the infection.
- Close the Registry program.
- Open Windows Explorer and delete the file
C:\WINDOWS\SCANDISK.EXE (Windows 95/98)
C:\WINNT\SCANDISK.EXE (Windows 2000/NT)
- Close Windows Explorer.
- Reboot Computer
The worm has been stopped for the time being. Start getting your virus definition updates or purchase and install an anti-virus software.
Help from Power Users
If you are not using either Outlook express or Microsoft Outlook, skip this section.
For power user, we need a favour from you to trace the email source so that the actual infected user (not the sender) could be notified of the virus infection. Please use the following steps:
- Click (not double-click) to highlight any email having one of the subject lines mentioned at the beginning of the webpage.
- Click File, Properties.
- If you are using Outlook Express, click the Details tab, Message Source.... Then press Ctrl-A to select all message text and press Ctrl-C to copy message text.
- If you are using Microsoft Outlook, click the Internet tab and press Ctrl-C to copy message text.
- Close the popup window.
- Open a new mail.
- Attention the email to firstname.lastname@example.org.
- In the message text area, click Edit, Paste.
- Send out the email.
Thank you for your valuable time to help to stop this worm from spreading further.
- Newlook Marketing is not an agent of Singnet Pte Ltd nor part of SingNet Network Security Team.
- Newlook Marketing is not an agent of Symantec nor do we sell any anti-virus software.
- Symantec is a registered trademark of Symantec Corporation.
- Any suggestions indicated in this page are solely the expressed views of Newlook Marketing. Users that choose to follow the guidelines above are doing it at their own risk.
If you have any query, comments or feedback, please feel free to contact us in any of the following ways:
My Mail Box (Business) No. 880159