BitDefender versus Win32.Worm.Downadup.C

BitDefender announced that it has detected a new form of the Downadup worm which is spreading by a Windows RPC Server Service vulnerability and is the first AV vendor to offer a free tool which disinfects all versions of Downadup, being available for all infected users at: http://bdtools.net.
Read more

Gone fishing… Sorry: phishing – FDIC.gov

Another phishing email. This time from FDIC, which is basically an agency independent from the Federal Government that acts as an insurer to the nation’s financial institutions. The message was coming from the following email address : Investigation@FDIC.gov. The address is a forged one, most likely with PHP as the message header also contained PHP signature. The phisher wasn’t too smart as the sender’s IP address was clearly unchanged.
The text was the following:

Dear bank account owner,
Funds wired into your account are stolen from innocent account holders through Identity Theft. Please check your account statement (the statement is attached to this letter) and contact your bank account manager. Federal Deposit Insurance Corporation

The attachment mentioned in the email body is a windows executable called statement.exe and is a badware which has only one function: to send all the saved private data to a Nigerian server.

Please do not open ANY attachment if you don’t trust the sender. If in doubt, either delete it or go to the sender’s domain and try to find details about the attachment. If you decide to delete, don’t worry, if the attachment was legit and important, you can always ask the sender to send the message again.

If you got this or similar mail, I’d be interested in how did you recognize it’s phishing, or what happened when you installed the badware or clicked the link if there was one.
Sharing your experience can help others, too, so please share your thoughts.

Gone fishing… Sorry: Phishing – Wachovia Treasury

If you’re a Wachovia customer, please be aware that currently an extremely active phishing attack is in course. Basically You receive emails asking you to download some badware from a faked website. After the badware is installed, starts to collect all the data which the browsers, especially IE stored, including passwords and sends the data on TCP to a remote server.
The phishers are using the following text:

WACHOVIA CORPORATION NOTICE.

At Wachovia we’ve re-imagined what’s possible for online cash management.
The next step in the transformation of Wachovia Connection is access through a new Wachovia Security Plus Certificate.
This will allow you to access securely the Wachovia Connection and other online services.
All users will be notified and must manually install the Wachovia Security Plus Certificate.
Installation takes about two minutes.

Start installation process now>>

Sincerely, Booker Hemphill.
2008 Wachovia Corporation.
All rights reserved.

Update: Just got another one:

WACHOVIA CORPORATION NOTICE.

Citigroup announced a buyout of Wachovia brokered by the FDIC moments ago.
All Wachovia bank locations will be in the Citigroup merger to prevent failure of Wachovia.
The Citigroup/Wachovia would focus on upgrading banks’ security certificates.
All Wachovia customers must fill the forms and complete installation of new Citigroup Standard digital signatures during 48 hours.
Please follow the installation steps below:

Read more here>>

Sincerely, Rudy Kane.
2008 Wachovia Corporation.
All rights reserved.

The message header contains some very crucial information as always: the sender is from Romania, the message was sent from the following IP Block: 83.103.160.128 – 83.103.160.143 which is under AstralTelecom’s administration.

Do not click anything in suspicious emails! If they talk about a new feature by your online bank, first open up a web browser window, type the bank’s address in the address-bar and try to find information directly from the provider.
Never trust emails!