Important: iBurst mail virus

[Grim_Reaper]

I received a mail today entitled "Notice of account limitation" from "mail@wbs.co.za" which said the following...

Dear Wbs Member,

Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.

Virtually yours,
The Wbs Support Team

I'm ashamed to admit that I was taken in by this and actually ran the attached "document"! Needless to say this is a virus, and I have only now managed to disinfect my machine.

WBS have confirmed that this mail is not from them at all, so be warned!

Apologies if this is old news to you guys...I don't want to get flamed like a lot of the other "newbies" seem to get on here!

 

[slimothy]

shame but pretty clever, you think of virii out to target millions of people with something generic like 'images of hot girls' but this is very specific.

 

[malec]

i wish these dumb ****s would start doing something productive with their time

 

[Jongi]

what slim said

 

[jmn]

Somebody hates WBS...

Was it in the WBS mailbox?

 

[fergus]

Thanks for the heads-up GR and welcome to the forums

 

[nocilah]

what extension did the attachment have?
exe?
pif?

 

[Jongi]

Nothing on my WBS account

 

[TheRoDent]

These mails have been making the rounds on all big-ish mail domains.

 

[alchamy]

i wish these dumb ****s would start doing something productive with their time

Could not agree more.

 

[ic]

GR, welcome to MyADSL .

While the chances of being able to track the offender via email headers is probably an attempt at futility, I am curious to know which virus/trojan you received, do you know the name of the beast?

 

[Grim_Reaper]

Jmn, yes, it was to my wbs mail account. Halicon, it was a zip file and the attachment was entitled "information.htm (loads of spaces) .scr" (with all the spaces so you didn't see the .scr on the end. I scanned the attachment with Norton but it didn't see any problem.

Once I loaded it, it loaded an app called "winlogons.exe" which basically just slowed my PC to a crawl. I deleted the executable and deleted all the registry entires it had created and I'm back to normal. As I said previously, I feel such a fool for loading the thing in the first place, but I was taken in by the apparent authenticity of it!

 

[GuRu]

Thanks for the heads up ..

 

[Ryno]

Hi guys,

When I got home I got the same email related to my account being temporarily disabled etc. Like Grim_Reaper, I first scanned the email and Norton couldn’t pick up anything, so I thought yeah maybe its save to open the attachment. Once opened it seem that the executable file is trying to run a service called “winlogons”. Luckily my firewall blocked it.

I removed the executable and all registry entries related to “winlogons” and everything now seems fine. Although, just be careful with this one, because I’ve noticed a lot of abnormal activity going on my ppp0 interface since I opened the file but I can’t seem to pick up if its trying to run any service on my server. I’ll keep you guys updated.

Cheerz,

R

 

[ic]

Considering unsticking this thread, but is this mail virus still doing the rounds?

 

[nocilah]

havent recieved anything...
i think it is safe to unsticky it..

 

[fergus]

It sounds like its a trojan. Anybody that opened the attachment and ran the .exe file just make sure you don't have a winlogons.exe service running. Somebody could be spying on you trying to hack your internet banking or something.

 

[Luke7777]

Some info