Security risk: Spam e-mail from "puremobile.com" confirming order! Virus through pdf?

scaminatrix · Mar 25, 2011, 07:40 PM

Hi all. I just got these 2 e-mails in my gmail account:

1st e-mail

2nd e-mail

If anyone gets this e-mail, don't open the pdf file for security reasons.

How likely is it that the PDF file is a virus?

erocker · Mar 25, 2011, 07:53 PM

Unless I purchased something from a site called "puremobile" I would have no reason to open the email and most definitely not open some attatched file. That's virus protection 101.

stefan95p · Mar 25, 2011, 07:59 PM

*

Black Panther · Mar 25, 2011, 08:04 PM

I got something similar on the work email address. I don't remember the name of the company because it was some months ago. They said I had purchased some shoes costing some €700 and that the amount was debited from my visa. And yup I needed to open some file.

I was nearly 100% sure it was a spam. But to check I went into my internet banking, found that no such debit had been effected from my account, and then deleted the email.

Absolutely do not open files from such emails. If the info troubles you check your internet banking or if not available go to your bank. It's very likely only a scam.

brandonwh64 · Mar 25, 2011, 08:10 PM

No puremobile exists or it usta exist cause i bought a Motorola V3I with Itunes *Unlocked* back in 2007 so i could use on my deployment to iraq

scaminatrix · Mar 25, 2011, 08:11 PM

Quote:

Originally Posted by erocker

Unless I purchased something from a site called "puremobile" I would have no reason to open the email and most definitely not open some attatched file. That's virus protection 101.

I always check the contents of the e-mail just to see how bad (laughable) it is. Gmail blocks images etc. by default for me, so I don't have to worry too much about opening the e-mail. Ofc, the attachment stays unopened.
Aah, the good old days when I would just get my laptop out and infect myself for the lulz!

Quote:

Originally Posted by stefan95p

Hi scaminatrix,
I got this e-mail, too and I searched in Google for that firm. The firm does exist, but the mail seems to be spam

Here's a thread in the Gmail Forum about that: http://www.google.com/support/forum/...049f53ef9d06c6
And I was so stupid to open the file... Hope I didn't get a virus on my computer... Norton Internet Security 2011 didn't say anything!?
Regards!

Aah man, since you opened the PDF, I suggest you download Malware Bytes Anti-Malware and run a full scan mate.
Personally, I would also ditch Norton and use Avast! free version, but that's down to preference.

Quote:

Originally Posted by Black Panther

I got something similar on the work email address. I don't remember the name of the company because it was some months ago. They said I had purchased some shoes costing some €700 and that the amount was debited from my visa. And yup I needed to open some file.
I was nearly 100% sure it was a spam. But to check I went into my internet banking, found that no such debit had been effected from my account, and then deleted the email.
Absolutely do not open files from such emails. If the info troubles you check your internet banking or if not available go to your bank. It's very likely only a scam.

Yea, first thing I did was check my Paypal, since that's the only thing that's registered to the Gmail account (no online banking, etc).

The thing I'm wondering the most - is it possible to send a virus through a .pdf file?

Quote:

Originally Posted by brandonwh64

No puremobile exists or it usta exist cause i bought a Motorola V3I with Itunes *Unlocked* back in 2007 so i could use on my deployment to iraq

Yea, it's still about now.
Here's something interesting:

Quote:

Received the same 2 emails and opened both pdf's
Pdfs were damaged and contained a list of PayPals

Still waiting for the backlash

http://www.dslreports.com/forum/r256...is-Puremobile-

Seems it's an Adobe exploit.

Quote:

Win32/Pdfjsc is the detection for a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. These files contain a JavaScript that executes when the file is opened.

The embedded JavaScript may contain malicious instructions, such as commands to download and install other malware. Files detected as Exploit:Win32/Pdfjsc may arrive in the system when a user visits a compromised or malicious webpage, or opens a malicious PDF email attachment.

http://www.microsoft.com/security/po...e=Win32/Pdfjsc

od8086 · Apr 15, 2011, 04:51 PM

Hi. I'm working in the field of malware analysis, and at the company it was my duty to process these PDF samples. The files are malformed, and there is a malicious exploit too. If anybody is interested, just open the PDF (in a safe environment, VMWare for example), in Acrobat Reader, and when it grows to around 250 MB in the memory, save the whole dump. Search for the string JAAAA, and there will be many hits. That is one part of the injected shellcode (I dont remember the others, at home I didn't have the infected samples

), and the technique used is called heap spraying (wikipedia, or just google it), that's why it grows in the memory. The essence of this exploitation method is to fill a big array in the memory with shellcode, then use some bug, to crash specific parts of the running program. In this case, there's a possibility of passing the control flow to the machine-code filled array, and voila..

In this case, I think it works only under certain versions of Acrobat Reader (and the version of the OS is crucial, too). Maybe before v9.2, I think, but haven't tested yet. Because of many reasons, especially in the case of suscpicious PDF files, don't trust just one AV software - use virustotal.com for example, or open it using google viewer.

System Name:	Benny
Processor:	Phenom II 1055t @ 3.3GHz; 300x11; 1.380v; NB 2700; HT 2400
Motherboard:	ASUS Crosshair IV Formula (2002 BIOS)
Cooling:	Thermalright TRUE 120 Black + 2 Xilence Red Wing PWM 120mm (push/pull) + polycarbonate fan holders
Memory:	8GB GeIL Ultra 2133MHZ C9 running at 1600MHz @ 7-7-7-21 1T 1.5v
Video Card:	MSI Twin Frozr II GTX470 @ Stock w/CPU fan cable-tied on, as one of the GPU fans broke.
Hard Disk:	60GB OCZ Agility3 (OS);500GB WDC Grn;4x80GB(RAID0);1x1TB WDC Blk (Backup) + Jye-Jou ST-3141SS
Optical Drive:	Optiarc SATA DVD-RWDL Bla Bla
CRT/LCD Model:	ASUS PA823Q
Case:	Silverstone Raven 2 (all cables custom sleeved with velcro mod on side panel...)
Sound Card:	X-Fi (Onboard) + Technics SA-GX530 amp powering JVC HA-RX700's with Zalman mic
PSU:	Corsair HX650W
Software:	Win7 Pro x64
Benchmarks:	I've scratched my name into all the benches in my local park. Using Corsair M90, soon to be using Lo

Processor:	Intel i7 3770K @ 4.6ghz 1.256v
Motherboard:	Asus Maximus V Formula
Cooling:	Water
Memory:	2x4gb Patriot Viper 2133mhz 10-11-10-25 2T 1.55v
Video Card:	Sapphire HD 7970 1125/1575 1.14v
Hard Disk:	Crucial M4 128Gb / Corsair Force 3 120Gb / Samsung 240Gb / 2Tb Seagate
Optical Drive:	None
CRT/LCD Model:	Acheiva Shimian 27" IPS 2560x1440
Case:	Corsair 500R White
Sound Card:	Onboard
PSU:	NZXT Hale90 1Kw
Software:	Windows 8 x64

Mar 25, 2011, 07:59 PM	#3
stefan95p Join Date: Mar 2011 Posts: 1 (0.00/day) Thanks: 0 Thanked 0 Times in 0 Posts	* Last edited by stefan95p; Feb 20, 2012 at 12:38 PM.

Mar 25, 2011, 08:04 PM	#4
Black Panther Senior Moderator™ Join Date: May 2007 Posts: 7,063 (3.23/day) Thanks: 2,170 Thanked 1,842 Times in 1,105 Posts System Specs	I got something similar on the work email address. I don't remember the name of the company because it was some months ago. They said I had purchased some shoes costing some €700 and that the amount was debited from my visa. And yup I needed to open some file. I was nearly 100% sure it was a spam. But to check I went into my internet banking, found that no such debit had been effected from my account, and then deleted the email. Absolutely do not open files from such emails. If the info troubles you check your internet banking or if not available go to your bank. It's very likely only a scam. __________________ *My Great White Bengal build* Join the techPowerUp! Official Group on Facebook.

System Name:	BlackPanther -- Great White Bengal
Processor:	E8400 @ 4Ghz 1.28V -- i7 930 @ 4Ghz
Motherboard:	Asus P5B -- Gigabyte GA-X58A-UD3R
Cooling:	Zalman CNPS9500 LED -- Scythe Yasya
Memory:	2x2048 DDR2 Apacer 890Mhz -- 3 x 2048 DDR3 Mushkin black line
Video Card:	Sapphire OC 5970 --Zotac 670 4GB
Hard Disk:	Intel 160GB SSD, eSata Seagate 250GB -- 240GB SSD Sandisk Extreme
Optical Drive:	LG DVD-RAM -- Sony BWU-500S-WW
CRT/LCD Model:	22" 1680x1050 LG Flatron -- 27" 2560x1440 Dell U2711
Case:	Aeroengine Jr -- NZXT Switch 810 White
Sound Card:	X-Fi Xtreme Music 5.1 -- Onboard sound & Z5500 Speakers
PSU:	Corsair HX850W Modular -- NZXT HALE90 850W PSU
Software:	Windows 7 x64 on both systems

Mar 25, 2011, 07:53 PM	#2
erocker Senior Moderator Join Date: Jul 2006 Location: Milwaukee, WI. Posts: 31,958 (12.77/day) Thanks: 2,793 Thanked 12,321 Times in 7,832 Posts System Specs	Unless I purchased something from a site called "puremobile" I would have no reason to open the email and most definitely not open some attatched file. That's virus protection 101.

Mar 25, 2011, 08:10 PM	#5
brandonwh64 Addicted to Bacon and StarCrunches!!! Join Date: Sep 2009 Location: Chatsworth, GA Posts: 13,571 (10.00/day) Thanks: 2,149 Thanked 5,342 Times in 3,697 Posts System Specs	No puremobile exists or it usta exist cause i bought a Motorola V3I with Itunes Unlocked back in 2007 so i could use on my deployment to iraq __________________ Cruncher's: All GPU's GPU's: 7970 3GB Unlocked = 8 Threads 5770 1GB OCed = 2 Threads

System Name:	The StarCrunch Defender!
Processor:	I7 2600K @ 4.5ghz 1.32V
Motherboard:	Gigabyte Z68X-UD3H-B3
Cooling:	Corsair A70 Push/Pull
Memory:	G-Skill Ripjaws 2x4GB DDR3 1866mhz
Video Card:	Gigabyte 7970 3GB Reference Card at boost clocks
Hard Disk:	2x 500GB WD Blue Raid 0 / 1TB WD Black
Optical Drive:	Samsung DVD/R/RW SATA
CRT/LCD Model:	ViewSonic VG2227wm 1080P
Case:	NZXT Tempest 410 Elite
Sound Card:	Onboard Realtek (Azalia)
PSU:	Corsair 750TX
Software:	Windows 7 Home X64

Apr 15, 2011, 04:51 PM	#7
od8086 Join Date: Apr 2011 Location: hungary Posts: 1 (0.00/day) Thanks: 0 Thanked 2 Times in 1 Post	Hi. I'm working in the field of malware analysis, and at the company it was my duty to process these PDF samples. The files are malformed, and there is a malicious exploit too. If anybody is interested, just open the PDF (in a safe environment, VMWare for example), in Acrobat Reader, and when it grows to around 250 MB in the memory, save the whole dump. Search for the string JAAAA, and there will be many hits. That is one part of the injected shellcode (I dont remember the others, at home I didn't have the infected samples ), and the technique used is called heap spraying (wikipedia, or just google it), that's why it grows in the memory. The essence of this exploitation method is to fill a big array in the memory with shellcode, then use some bug, to crash specific parts of the running program. In this case, there's a possibility of passing the control flow to the machine-code filled array, and voila.. In this case, I think it works only under certain versions of Acrobat Reader (and the version of the OS is crucial, too). Maybe before v9.2, I think, but haven't tested yet. Because of many reasons, especially in the case of suscpicious PDF files, don't trust just one AV software - use virustotal.com for example, or open it using google viewer.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Is Security Software Becoming a Security Risk?	Polaris573	News	4	Nov 26, 2007 06:17 PM