I.T. Mate Knowledge Base - KBID# 26
[ALERT] E-mail claiming to come from I.T. Mate (KBID# 26)
This document is intended as a warning concerning virus infected e-mails that claim to come from I.T. Mate e-mail accounts.
The majority of the e-mails claim to require verification, confirmation or re-application of user accounts via either downloading a file or opening an attatchment.
Users should note, the only time you will EVER receive such e-mails from I.T. Mate is when registering for a service such as sGB or the newsletter, or when requiring support/sending comments. Even then, we NEVER ask you to open attatchments or link directly to files unless YOU specifically ask for such.
First discovered: May 16th 2005.
Over the past week or so, there have been e-mails circulating that claim to originate from it-mate.co.uk and mysteryfcm.plus.com/net e-mail addresses. To date, the subject and account used include;
Note: with the exception of "services", none of the above accounts actually exist (none of these accounts are valid on our mysteryfcm.plus.com mail server).
best regards - As of 04-08-2006
*DETECTED* ONLINE USER VIOLATION
Email Account Suspension
*IMPORTANT* Your Account Has Been Locked
Notice: **Last Warning**
Notice:***Your email account will be suspended***
Notice of account limitation
Warning Message: Your services near to be closed.
*WARNING* Your Email Account Will Be Closed
YOUR EMAIL ACCOUNT IS SUSPENDED FOR SECURITY REASONS
Your email account has been blocked
Your email account access is restricted
You have successfully updated your password
Your password has been successfully updated
The e-mails arrive with a virus infected attatchment of varying names, including;
archive.doc[many spaces].exe - As of 09-08-2006
archives.doc[many spaces].exe - As of 09-08-2006
outbox.doc[many spaces].exe - As of 04-08-2006
payment.doc[many spaces].exe - As of 09-08-2006
Investigation of these e-mails have found the attatchments to be infected with the Mytob and Netsky, and as of August 4th 2006, Win32.Bagz.[letter] worms (see below for removal tools). The servers being used to send these e-mails appear to be located in Israel (22.214.171.124 - *.barak.net.il) and Italy (126.96.36.199 - *.fastres.net), neither of which has changed since it was first discovered.
As these e-mails have not been sent by myself, I would like to warn everyone that receives such an e-mail, to delete it immediately, DO NOT OPEN IT!. The only time you will receive an e-mail from ourselves is if you have;
1. Sent a support request to us
2. Registered for one of our online services*
*With the exception of our newsletter, you will only ever be sent a maximum of 2 e-mails when you register for one of our services (one to ask you to confirm the registration and the second to confirm your account has been created), no further e-mails shall be sent.
In addition, we NEVER send e-mails via the PLUS server (plus.com, plus.net) and NEVER send attatchments.
Should your system become infected as a result of these e-mails, you may use one or more of the following removal tools to clean the infection.
NetSky removal tool
Symantec NetSky Removal Tool (FxNetsky.exe - 150K)
Bit Defender NetSky Removal Tool (Antinetsky-EN.exe - 59K)
http://www.bitdefender.com/html/free_tools.php?menu_id=20&letter=&page=6 (Link disabled 24/11/2017, URL is now a 404 and Antinetsky-EN.exe doesn't appear to be available from their new site)
MyTob (aka MyDoom) removal tools
Symantec MyDoom Removal Tool (FxMyDoom.exe - 158K)
Win32.Bagz.[Letter] removal tools
The [Letter] will depend on the antivirus vendor (it's known as A,B,C,D and even E). Unfortunately I am not aware of any individual removal tools for this worm at present. However, the following vendors trial/home versions will remove it for you.
As of 13-06-2005, the following article is available from mvps.org
Attack of the Mytob worms - Several new variants
Direct links to files
As of August 1st 2006, we also started receiving e-mails claiming to come from ourselves that asked us to download a .pif file from a web server.
At the time of writing, the server did not appear to be active. However, users should be EXTREMELY careful when links are present in e-mails.
I.T. Mate website's reside on the following servers ONLY.
Malicious e-mail update
WARNING: Virus infected e-mail claiming to come from I.T. Mate
The information in this article applies to:
Published: 25/05/2005 15:26:36
- All e-mail addresses containing it-mate.co.uk
- All e-mail addresses containing mysteryfcm.plus.com
- All e-mail addresses containing mysteryfcm.plus.net
- All e-mail addresses containing mysteryfcm.co.uk
Updated: 24/11/2017 11:28:46
Print this document
E-mail this document