I.T. Mate
                      Product Support
Menu: Home | Blog | Contact Us | Documents | Forums | Knowledge Base | Search | Services RSS

Quick Search
 

Products
AB Extension Pack
ACF Notes
ActiveScan Cleaner
B Gone
Bit Defender Cleaner
Black Jack
Chess
Cookie Info
Cup Holder
Dir 2 File
DUN AC
FreeScan Cleaner
Guestbook Generator
Housecall Cleaner
hpHosts
hpObserver
Index.dat QV
Index.dat Suite
ISPs Nightmare
Mouse Mat
Outlook Export
PUI
Quick Info
Quick Ren
RF Types
Rip Wiz 2003
S Lock
SMTP Finder
Spambot Search Tool
vURL Desktop Edition
Home > Knowledge Base > [ALERT] E-mail claiming to come from I.T. Mate (KBID# 26)

I.T. Mate Knowledge Base - KBID# 26

[ALERT] E-mail claiming to come from I.T. Mate (KBID# 26)

Overview

This document is intended as a warning concerning virus infected e-mails that claim to come from I.T. Mate e-mail accounts.

The majority of the e-mails claim to require verification, confirmation or re-application of user accounts via either downloading a file or opening an attatchment.

Users should note, the only time you will EVER receive such e-mails from I.T. Mate is when registering for a service such as sGB or the newsletter, or when requiring support/sending comments. Even then, we NEVER ask you to open attatchments or link directly to files unless YOU specifically ask for such.

More Information

First discovered: May 16th 2005.

Over the past week or so, there have been e-mails circulating that claim to originate from it-mate.co.uk and mysteryfcm.plus.com/net e-mail addresses. To date, the subject and account used include;

Accounts

Admin
Administrator
Host
Hostmaster
Info
Information
Mail
Register
Service
Services
Support
Staff
Webmaster

Note: with the exception of "services", none of the above accounts actually exist (none of these accounts are valid on our mysteryfcm.plus.com mail server).

Subjects

[random letters]
ACCOUNT ALERT
best regards - As of 04-08-2006
*DETECTED* ONLINE USER VIOLATION
Email Account Suspension
Hello
Important Notification
*IMPORTANT* Your Account Has Been Locked
Lbzwzzi
Members Support
Notice: **Last Warning**
Notice:***Your email account will be suspended***
Notice of account limitation
Security Measures
Suspended Account
Warning Message: Your services near to be closed.
*WARNING* Your Email Account Will Be Closed
YOUR EMAIL ACCOUNT IS SUSPENDED FOR SECURITY REASONS
Your email account has been blocked
Your email account access is restricted
You have successfully updated your password
Your password has been successfully updated

The e-mails arrive with a virus infected attatchment of varying names, including;

arqp.zip
account-details.exe
account-details.zip
archive.doc[many spaces].exe - As of 09-08-2006
archives.doc[many spaces].exe - As of 09-08-2006
document.exe
document_full.zip
email-doc.zip
email-doc.exe
email-details.zip
email-details.exe
email-info.zip
email-password.zip
email-password.exe
file.zip
IMPORTANT.zip
important-details.zip
important-details.exe
info.exe
INFO.zip
info-text.exe
info-text.zip
information.exe
information.zip
instructions.exe
instructions.zip
outbox.doc[many spaces].exe - As of 04-08-2006
payment.doc[many spaces].exe - As of 09-08-2006
readme.zip
readme.exe
text.exe
text.zip
updated-password.zip
updated-password.exe
uzr.exe
uzr.zip
your_details.zip
your_details.exe

Investigation of these e-mails have found the attatchments to be infected with the Mytob and Netsky, and as of August 4th 2006, Win32.Bagz.[letter] worms (see below for removal tools). The servers being used to send these e-mails appear to be located in Israel (62.90.139.120 - *.barak.net.il) and Italy (213.140.6.119 - *.fastres.net), neither of which has changed since it was first discovered.

As these e-mails have not been sent by myself, I would like to warn everyone that receives such an e-mail, to delete it immediately, DO NOT OPEN IT!. The only time you will receive an e-mail from ourselves is if you have;

1. Sent a support request to us
2. Registered for one of our online services*

*With the exception of our newsletter, you will only ever be sent a maximum of 2 e-mails when you register for one of our services (one to ask you to confirm the registration and the second to confirm your account has been created), no further e-mails shall be sent.

In addition, we NEVER send e-mails via the PLUS server (plus.com, plus.net) and NEVER send attatchments.

Removal Tools

Should your system become infected as a result of these e-mails, you may use one or more of the following removal tools to clean the infection.

NetSky removal tool

Symantec NetSky Removal Tool (FxNetsky.exe - 150K)
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky@mm.removal.tool.html

Or http://support.it-mate.co.uk/downloads/FxNetsky.exe

Or http://archive.mysteryfcm.co.uk/?f=Security/Antivirus/Removal_Tools/Symantec

Bit Defender NetSky Removal Tool (Antinetsky-EN.exe - 59K)
http://www.bitdefender.com/html/free_tools.php?menu_id=20&letter=&page=6

Or http://support.it-mate.co.uk/downloads/Antinetsky-EN.exe

Or http://archive.mysteryfcm.co.uk/?f=Security/Antivirus/Removal_Tools/Bit_Defender

MyTob (aka MyDoom) removal tools

Symantec MyDoom Removal Tool (FxMyDoom.exe - 158K)
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom@mm.removal.tool.html
Or http://support.it-mate.co.uk/downloads/FixMyTob.exe

Or http://archive.mysteryfcm.co.uk/?f=Security/Antivirus/Removal_Tools/Symantec

Win32.Bagz.[Letter] removal tools

The [Letter] will depend on the antivirus vendor (it's known as A,B,C,D and even E). Unfortunately I am not aware of any individual removal tools for this worm at present. However, the following vendors trial/home versions will remove it for you.

NOD32 (Recommended)
www.eset.com

Kaspersky
www.kaspersky.com

Avast
www.avast.com

As of 13-06-2005, the following article is available from mvps.org

Attack of the Mytob worms - Several new variants
http://msmvps.com/harrywaldron/archive/2005/06/13/52673.aspx

Direct links to files

As of August 1st 2006, we also started receiving e-mails claiming to come from ourselves that asked us to download a .pif file from a web server.

http://[SERVER]/Confirmation_Sheet.pif

At the time of writing, the server did not appear to be active. However, users should be EXTREMELY careful when links are present in e-mails.

I.T. Mate website's reside on the following servers ONLY.

*.it-mate.co.uk
*.mysteryfcm.co.uk
mysteryfcm.plus.com


References:

Malicious e-mail update
http://mysteryfcm.co.uk/?mode=News&date=23-06-2006

WARNING: Virus infected e-mail claiming to come from I.T. Mate
http://mysteryfcm.co.uk/?mode=News&date=20-06-2006
The information in this article applies to:
  1. All e-mail addresses containing it-mate.co.uk
  2. All e-mail addresses containing mysteryfcm.plus.com
  3. All e-mail addresses containing mysteryfcm.plus.net
  4. All e-mail addresses containing mysteryfcm.co.uk
Published: 25/05/2005 15:26:36
Updated: 09/08/2006 20:04:55

Print this document | E-mail this document

Give us Feedback! Forums
End User Licence Agreement | Help Us | Privacy Policy | Terms of Use
Copyright 1998 - 2014 I.T. Mate - All Rights Reserved
counselling-valvate
counselling-valvate
counselling-valvate
counselling-valvate
Give us Feedback! Forums