[unisog] UPDATE : Phishing targeting Universities

Michael Holstein michael.holstein at csuohio.edu
Fri Jun 18 18:43:58 GMT 2004

I have updated information on the "phishing" attempt that tried to trick
prospective students into coughing up financial information. I was able
to recover the original attachment from one of the targeted students and
I've posted it for anyone that wants to take a crack at it :


(sorry about the "freebie" website .. it was faster than trying to get
approval to post it on one of our public webservers .. but hey, I get
"free no-popup service for the first 7 days")

The ZIP file was not encrypted, and using GNU zip, extracts as follows :

MD5(Xmailer.exe)= 964482045fc8ac3cdf55af09a9bef066
MD5(mailer.zip)= 52bf26fc1945f54daaa24f11ef6995cb

McAfee (command-line, for UNIX) dosen't find anything in either of these

bash-2.05b$ uvscan --version
Scan engine v4.3.20 for BSD.
Virus data file v4367 created Jun 16 2004
Scanning for 92006 viruses, trojans and variants.

bash-2.05b$ uvscan --secure --unzip -v -r infected/
Scanning /home/mholstei/infected/*
Scanning file infected/Xmailer.exe
Scanning file infected/Xmailer.exe/XMAILER.EXE
Scanning file infected/Xmailer.exe/SMTP.OCX
Scanning file infected/mailer.zip
Scanning file infected/mailer.zip/XMAILER.EXE
Scanning file infected/mailer.zip/XMAILER.EXE/XMAILER.EXE
Scanning file infected/mailer.zip/XMAILER.EXE/SMTP.OCX

The original "Phish" message is below :

--- snip ---

Dear Student:

I am pleased to inform you that you have been offered a Research
Assistantship with your department. The modified I20 is being processed
and will be dispatched shortly. Please confirm your acceptance by
sending the mailing charges of $50 for DHL or $15 for Registered mail.

You may use the attached Encrypted Mailer to mail in your detailed
credit card information. Pleae mention your preferred mode of mailing
for your I20 as well. Your I20 will be dispatched as soon as your card
is charged for the required sum.

You are also required to return the I20 that was originally sent to you
as soon as it reaches you. Please note that this is required in order to
re-register you on the SEVIS database without which you will be unable
to attend your Visa Interview.

(attachment: mailer.zip)

--- snip ---
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/unisog/attachments/20040618/04d5f61b/attachment-0004.bin

More information about the unisog mailing list