NZ Police Virus / Phishing....

Discussion in 'NZ Computing' started by s.te.v.e., May 30, 2006.

  1. s.te.v.e.

    s.te.v.e. Guest

    Anyone seen one of these?

    The broken English and compressed word file say "VIRUS" to me.....

    *************************************************************

    Hello.
    You've been sent a notification from Police New Zealand (Department of
    intellectual property and informational technologies).
    You are under suspicion of financial machination.
    There was a correspondence about forthcoming machination from your address
    mail.
    We earnestly ask you to fill in all the fields in the attached document and
    send it by fax (04 498-7400) or by e-mail:

    Yours faithfully police New Zealand
    Lieutenant Colyn David Stoves
     
    s.te.v.e., May 30, 2006
    #1
    1. Advertising

  2. s.te.v.e.

    s.te.v.e. Guest

    s.te.v.e. wrote:

    > Anyone seen one of these?
    >
    > The broken English and compressed word file say "VIRUS" to me.....
    >
    > *************************************************************
    >
    > Hello.
    > You've been sent a notification from Police New Zealand (Department of
    > intellectual property and informational technologies).
    > You are under suspicion of financial machination.
    > There was a correspondence about forthcoming machination from your address
    > mail.
    > We earnestly ask you to fill in all the fields in the attached document
    > and send it by fax (04 498-7400) or by e-mail:
    >
    > Yours faithfully police New Zealand
    > Lieutenant Colyn David Stoves


    Forgot to mention:

    Received: from www1.hxu.edu.cn (www1.hxu.edu.cn [202.201.106.11]) by (my
    server)
     
    s.te.v.e., May 30, 2006
    #2
    1. Advertising

  3. s.te.v.e.

    Invisible Guest

    On Tue, 30 May 2006 23:18:50 +1200, "s.te.v.e."
    <> wrote:

    >Anyone seen one of these?
    >
    >The broken English and compressed word file say "VIRUS" to me.....
    >
    >*************************************************************
    >
    >Hello.
    >You've been sent a notification from Police New Zealand (Department of
    >intellectual property and informational technologies).
    >You are under suspicion of financial machination.
    >There was a correspondence about forthcoming machination from your address
    >mail.
    >We earnestly ask you to fill in all the fields in the attached document and
    >send it by fax (04 498-7400) or by e-mail:
    >
    >Yours faithfully police New Zealand
    >Lieutenant Colyn David Stoves



    Yep, I was just going to post a copy.


    Also, Paradise claim:

    This message has been processed by paradise.net using Brightmail(r) Anti-Virus
    Technology powered by Symantec.

    The file
    Document_Police.doc____________________________________________________________.doc.exe
    was infected with the virus Trojan.Gobrena and has been deleted because the file
    cannot be cleaned.


    Except that it's still attached, so they did a nice job of deleting it.
     
    Invisible, May 30, 2006
    #3
  4. s.te.v.e. wrote:
    > s.te.v.e. wrote:
    >
    >> Anyone seen one of these?
    >>
    >> The broken English and compressed word file say "VIRUS" to me.....
    >>
    >> *************************************************************
    >>
    >> Hello.
    >> You've been sent a notification from Police New Zealand (Department of
    >> intellectual property and informational technologies).
    >> You are under suspicion of financial machination.
    >> There was a correspondence about forthcoming machination from your address
    >> mail.
    >> We earnestly ask you to fill in all the fields in the attached document
    >> and send it by fax (04 498-7400) or by e-mail:
    >>
    >> Yours faithfully police New Zealand
    >> Lieutenant Colyn David Stoves

    >
    > Forgot to mention:
    >
    > Received: from www1.hxu.edu.cn (www1.hxu.edu.cn [202.201.106.11]) by (my
    > server)


    There's another Received: line in mine which looks a little suss:

    > Received: from www1.hxu.edu.cn (www1.hxu.edu.cn [202.201.106.11])
    > by smtp-3.paradise.net.nz (Postfix) with ESMTP id 4E18712A6C3E; Tue,
    > 30 May 2006 22:30:44 +1200 (NZST)
    > Received: from Plolice service by www1.hxu.edu.cn with Microsoft SMTPSVC; Tue,
    > 30 May 2006 18:30:47 +0800


    That "Plolice service" bit is a little on the weird side. not being a valid
    host name I guess it must be a process running on the server.

    Paradise's email server nixed the virus from my copy too yet googling
    "Trojan.Gobrena" yields no hits.

    > Hello.
    > You've been sent a notification from Police New Zealand (Department of intellectual property and informational technologies).
    > You are under suspicion of financial machination.
    > There was a correspondence about forthcoming machination from your address mail.
    > We earnestly ask you to fill in all the fields in the attached document and send it by fax (04 498-7400) or by e-mail:
    >
    > Yours faithfully police New Zealand
    > Lieutenant Shargin Stephens


    I'm guessing the New Zealand bit, the variable email address and the phone
    number are added according to the location of the addressee.
     
    Mark Robinson, May 30, 2006
    #4
  5. Mark Robinson, May 30, 2006
    #5
  6. s.te.v.e.

    juicyjuice Guest

    I found the same link by just putting gobrena in google
    It downloads Goldun which steals e-gold login details
    no biggy really.

    "Mark Robinson" <2tod.net> wrote in message
    news:2tod.net...
    > Mark Robinson wrote:
    >> Paradise's email server nixed the virus from my copy too yet googling
    >> "Trojan.Gobrena" yields no hits.

    >
    > Look's like it's so new Google hasn't indexed it yet.
    >
    > http://securityresponse.symantec.com/avcenter/venc/data/trojan.gobrena.html
    > is what Paradise's antivirus calls it, but the details don't seem to
    > match.
     
    juicyjuice, May 30, 2006
    #6
  7. s.te.v.e.

    Crumb Guest

    On Wed, 31 May 2006 00:13:30 +1200, Mark Robinson
    <2tod.net> wrote:

    >s.te.v.e. wrote:
    >> s.te.v.e. wrote:
    >>
    >>> Anyone seen one of these?
    >>>
    >>> The broken English and compressed word file say "VIRUS" to me.....
    >>>
    >>> *************************************************************
    >>>
    >>> Hello.
    >>> You've been sent a notification from Police New Zealand (Department of
    >>> intellectual property and informational technologies).
    >>> You are under suspicion of financial machination.
    >>> There was a correspondence about forthcoming machination from your address
    >>> mail.
    >>> We earnestly ask you to fill in all the fields in the attached document
    >>> and send it by fax (04 498-7400) or by e-mail:
    >>>
    >>> Yours faithfully police New Zealand
    >>> Lieutenant Colyn David Stoves

    >>
    >> Forgot to mention:
    >>
    >> Received: from www1.hxu.edu.cn (www1.hxu.edu.cn [202.201.106.11]) by (my
    >> server)

    >
    >There's another Received: line in mine which looks a little suss:
    >
    >> Received: from www1.hxu.edu.cn (www1.hxu.edu.cn [202.201.106.11])
    >> by smtp-3.paradise.net.nz (Postfix) with ESMTP id 4E18712A6C3E; Tue,
    >> 30 May 2006 22:30:44 +1200 (NZST)
    >> Received: from Plolice service by www1.hxu.edu.cn with Microsoft SMTPSVC; Tue,
    >> 30 May 2006 18:30:47 +0800

    >
    >That "Plolice service" bit is a little on the weird side. not being a valid
    >host name I guess it must be a process running on the server.
    >
    >Paradise's email server nixed the virus from my copy too yet googling
    >"Trojan.Gobrena" yields no hits.
    >
    >> Hello.
    >> You've been sent a notification from Police New Zealand (Department of intellectual property and informational technologies).
    >> You are under suspicion of financial machination.
    >> There was a correspondence about forthcoming machination from your address mail.
    >> We earnestly ask you to fill in all the fields in the attached document and send it by fax (04 498-7400) or by e-mail:
    >>
    >> Yours faithfully police New Zealand
    >> Lieutenant Shargin Stephens

    >
    >I'm guessing the New Zealand bit, the variable email address and the phone
    >number are added according to the location of the addressee.


    A mate got one and copied this detail to me.

    The attachment was picked up by his antivirus as Bloodhound.W32.EP

    [192.168.15.8])
    by kelso.snap.net.nz (Postfix) with ESMTP id 2B12068136;
    Tue, 30 May 2006 22:29:49 +1200 (NZST)
    Received: from www1.hxu.edu.cn (www1.hxu.edu.cn [202.201.106.11])
    by viper.snap.net.nz (Postfix) with ESMTP id 0739C7583DF;
    Tue, 30 May 2006 22:29:37 +1200 (NZST)
    Received: from Plolice service by www1.hxu.edu.cn with Microsoft
    SMTPSVC;
    Tue, 30 May 2006 18:29:38 +0800
    From: "Albert Fabian Salepisa" <>
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1819
    Message-ID: <>
    X-OriginalArrivalTime: Tue, 30 May 2006 18:29:38 +0800.0182 (UTC)
    FILETIME=[4E532544:xWcANT1D]
    To: <>
    Subject: Notification from Police New Zealand.
    Date: Tue, 30 May 2006 18:29:38 +0800
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----------DE534E36B571C1"
    X-NAS-Language: English
    X-NAS-Bayes: #0: 4.5995E-268; #1: 1
    X-NAS-Classification: 0
    X-NAS-MessageID: 744
    X-NAS-Validation: {0CE236BB-9308-4D21-A5C1-57A11B5E36F9}

    Hello.
    You've been sent a notification from Police New Zealand (Department of
    intellectual property and informational technologies).
    You are under suspicion of financial machination.
    There was a correspondence about forthcoming machination from your
    address mail.
    We earnestly ask you to fill in all the fields in the attached
    document and send it by fax (04 498-7400) or by e-mail:


    Yours faithfully police New Zealand
    Lieutenant Christopher Tom Rata

    Attach: Document Police.zip
     
    Crumb, May 30, 2006
    #7
  8. s.te.v.e.

    Geopelia Guest

    Wouldn't the Police call if it was genuine, instead of sending an email?

    "You are suspected of a plot to blow up the Beehive. Kindly furnish your
    details etc etc".

    Maybe it's just a clever kid's joke.
     
    Geopelia, May 30, 2006
    #8
  9. s.te.v.e.

    george Guest

    Geopelia wrote:
    > Wouldn't the Police call if it was genuine, instead of sending an email?
    >
    > "You are suspected of a plot to blow up the Beehive. Kindly furnish your
    > details etc etc".


    Or, you released a worker bee into the Beehive and sent the residents
    into shock

    > Maybe it's just a clever kid's joke.


    I don't know about the 'clever kid' bit.
    If the police wanted to ask you about 'activities there would be a
    knock on the door...
     
    george, May 30, 2006
    #9
  10. s.te.v.e.

    aum Guest

    On Tue, 30 May 2006 23:18:50 +1200, s.te.v.e. wrote:

    > Anyone seen one of these?

    ....
    > You've been sent a notification from Police New Zealand (Department of
    > intellectual property and informational technologies).
    > You are under suspicion of financial machination.
    > There was a correspondence about forthcoming machination from your address
    > mail.
    > We earnestly ask you to fill in all the fields in the attached document and
    > send it by fax (04 498-7400) or by e-mail:
    >
    > Yours faithfully police New Zealand
    > Lieutenant Colyn David Stoves


    Got one last night.

    For a matter of terminology, it's not 'phishing', because (unlike
    those endless PayPal/Westpac/whatever emails) it's not attempting to trick
    people into entering sensitive account details into a 'pharming' site.

    It is an attempt to pwn (own) or 'zombie' the PCs of kiwis,
    using a 'social engineering' attack.

    I unpacked the ZIP within a Linux temporary directory, and it reveals a
    single file, 'Document Police.doc__________________________________.exe',
    which in Windows machines will tend to show up as the innocent looking
    'Document Police.doc'.

    Seems it's a trojan which would install one or a combination of rootkit,
    spambot, keylogger etc. Any windows user who double-clicked the file would
    end up having their PC 'pwned' and not even know it. Today's rootkits even
    know all the firewall and antivirus programs, and shim underneath them to
    conceal their activity and very existence.

    The attack is somewhat disturbing, because the perp could make it
    look really authentic by:

    * changing 'Lieutenant' to 'Senior Inspector' (don't they know that the
    NZ Police do not have a 'Lieutenant' rank?!? lol)
    * fixing the spelling and grammar
    * launching the attack from PCs within NZ, so the headers don't show the
    tell-tale '.cn' TLD

    Even more disturbing is the question of whether the attack was launched by
    private Chinese crims, or by a Chinese government department.

    --

    Cheers
    aum
     
    aum, May 30, 2006
    #10
  11. In article <2tod.net>, 2tod.net
    says...
    >
    > That "Plolice service" bit is a little on the weird side. not being a valid
    > host name I guess it must be a process running on the server.
    >


    No, it'll be the name on the network of the machine that originated the
    message. Like all messages that come from this box carry a header line
    Received: from Jumbo by ...

    -P.

    --
    =========================================
    firstname dot lastname at gmail fullstop com
     
    Peter Huebner, May 31, 2006
    #11
  12. s.te.v.e.

    Kay Neich Guest

    yup. scared me at first thinking about all the time things would take to get
    straight. but then i studied the header once i calmed down. didn't open.
    went straight to nzpolice.govt.nz. sweet.

    --
    - Kay (http://geocities.com/kayneich/)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~

    "s.te.v.e." <> wrote in message
    news:...
    > Anyone seen one of these?
    >
    > The broken English and compressed word file say "VIRUS" to me.....
    >
    > *************************************************************
    >
    > Hello.
    > You've been sent a notification from Police New Zealand (Department of
    > intellectual property and informational technologies).
    > You are under suspicion of financial machination.
    > There was a correspondence about forthcoming machination from your address
    > mail.
    > We earnestly ask you to fill in all the fields in the attached document

    and
    > send it by fax (04 498-7400) or by e-mail:
    >
    > Yours faithfully police New Zealand
    > Lieutenant Colyn David Stoves
     
    Kay Neich, May 31, 2006
    #12
  13. s.te.v.e.

    juicyjuice Guest

    http://www.stuff.co.nz/stuff/0,2106,3685832a28,00.html

    "s.te.v.e." <> wrote in message
    news:...
    > Anyone seen one of these?
    >
    > The broken English and compressed word file say "VIRUS" to me.....
    >
    > *************************************************************
    >
    > Hello.
    > You've been sent a notification from Police New Zealand (Department of
    > intellectual property and informational technologies).
    > You are under suspicion of financial machination.
    > There was a correspondence about forthcoming machination from your address
    > mail.
    > We earnestly ask you to fill in all the fields in the attached document
    > and
    > send it by fax (04 498-7400) or by e-mail:
    >
    > Yours faithfully police New Zealand
    > Lieutenant Colyn David Stoves
     
    juicyjuice, May 31, 2006
    #13
  14. s.te.v.e.

    PJ Guest

    aum wrote:
    >
    > The attack is somewhat disturbing, because the perp could make it
    > look really authentic by:
    >
    > * changing 'Lieutenant' to 'Senior Inspector' (don't they know that the
    > NZ Police do not have a 'Lieutenant' rank?!? lol)
    > * fixing the spelling and grammar
    > * launching the attack from PCs within NZ, so the headers don't show the
    > tell-tale '.cn' TLD
    >


    How right you are. The change to "inspector" would make this *so*
    authentic that it's your duty to suggest to the NZ Police that they give
    it a real go. Get the cops to email everyone in the country, the crims
    will of course log in and 'fess up, the good guys put them under lock
    and key, and everyone's happy.

    Why didn't we think of this before ?
     
    PJ, May 31, 2006
    #14
  15. On Tue, 30 May 2006 23:18:50 +1200, s.te.v.e. wrote:

    > Anyone seen one of these?
    >
    > The broken English and compressed word file say "VIRUS" to me.....
    >
    > *************************************************************
    >
    > Hello.
    > You've been sent a notification from Police New Zealand (Department of
    > intellectual property and informational technologies).
    > You are under suspicion of financial machination.
    > There was a correspondence about forthcoming machination from your address
    > mail.
    > We earnestly ask you to fill in all the fields in the attached document and
    > send it by fax (04 498-7400) or by e-mail:
    >
    > Yours faithfully police New Zealand
    > Lieutenant Colyn David Stoves


    Was obviously a hoax ...everyone knows that you call 911 for the police.
     
    wogers nemesis, May 31, 2006
    #15
  16. s.te.v.e.

    Shane Guest

    wogers nemesis wrote:


    > Was obviously a hoax ...everyone knows that you call 911 for the police.



    meh, thats the taxi number
    --
    Rule 6: There is no rule 6
     
    Shane, May 31, 2006
    #16
  17. s.te.v.e.

    aum Guest

    On Wed, 31 May 2006 17:28:02 +1200, PJ wrote:

    > How right you are. The change to "inspector" would make this *so*
    > authentic that it's your duty to suggest to the NZ Police that they give
    > it a real go. Get the cops to email everyone in the country, the crims
    > will of course log in and 'fess up, the good guys put them under lock
    > and key, and everyone's happy.


    Where's your brain, PJ?

    The intention of the mail is to trick people into opening something that,
    looks like a plain document, but which owing to Windows will end up
    opening an EXE file and infect the PC with a virus.

    I'm not suggesting that if the email looked genuine, the average crim
    would fill it out and send it, but someone on the shady side would be very
    tempted to open the document out of curiosity and paranoia.

    --

    Cheers
    aum
     
    aum, May 31, 2006
    #17
  18. s.te.v.e.

    nick Guest

    Never any doubt about it. It is the most obvious fake ever.


    s.te.v.e. wrote:
    > s.te.v.e. wrote:
    >
    > > Anyone seen one of these?
    > >
    > > The broken English and compressed word file say "VIRUS" to me.....
    > >
    > > *************************************************************
    > >
    > > Hello.
    > > You've been sent a notification from Police New Zealand (Department of
    > > intellectual property and informational technologies).
    > > You are under suspicion of financial machination.
    > > There was a correspondence about forthcoming machination from your address
    > > mail.
    > > We earnestly ask you to fill in all the fields in the attached document
    > > and send it by fax (04 498-7400) or by e-mail:
    > >
    > > Yours faithfully police New Zealand
    > > Lieutenant Colyn David Stoves

    >
    > Forgot to mention:
    >
    > Received: from www1.hxu.edu.cn (www1.hxu.edu.cn [202.201.106.11]) by (my
    > server)
     
    nick, Jun 1, 2006
    #18
  19. On Wed, 31 May 2006 17:39:29 +1200, wogers nemesis
    <> wrote:

    >On Tue, 30 May 2006 23:18:50 +1200, s.te.v.e. wrote:
    >
    >> Anyone seen one of these?
    >>
    >> The broken English and compressed word file say "VIRUS" to me.....
    >>
    >> *************************************************************
    >>
    >> Hello.
    >> You've been sent a notification from Police New Zealand (Department of
    >> intellectual property and informational technologies).
    >> You are under suspicion of financial machination.
    >> There was a correspondence about forthcoming machination from your address
    >> mail.
    >> We earnestly ask you to fill in all the fields in the attached document and
    >> send it by fax (04 498-7400) or by e-mail:
    >>
    >> Yours faithfully police New Zealand
    >> Lieutenant Colyn David Stoves

    >
    >Was obviously a hoax ...everyone knows that you call 911 for the police.


    Homer Simpson (in a panic): "Quick operator, what's the number for
    911?"

    Howard Edwards
     
    Howard Edwards, Jun 1, 2006
    #19
  20. T'was the Wed, 31 May 2006 09:12:06 +1200 when I remembered aum
    <> saying something like this:

    >Even more disturbing is the question of whether the attack was launched by
    >private Chinese crims, or by a Chinese government department.


    I wouldn't trust the police to email me, and if so, I wouldn't take it
    seriously unless I corresponded with them first. I'd expect a phone
    call.
    --
    Cheers,

    Waylon Kenning.
     
    Waylon Kenning, Jun 1, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Reg Mouatt

    Phishing with Firefox!

    Reg Mouatt, Nov 3, 2004, in forum: Firefox
    Replies:
    0
    Views:
    450
    Reg Mouatt
    Nov 3, 2004
  2. Tony Raven

    Firefox Phishing vulnerability

    Tony Raven, Jan 7, 2005, in forum: Firefox
    Replies:
    1
    Views:
    479
    Michel Doucet
    Jan 7, 2005
  3. Jay Calvert

    Major Phishing Hole Found In IE and OE

    Jay Calvert, Feb 17, 2005, in forum: Firefox
    Replies:
    5
    Views:
    518
    Michael J. Pelletier
    Feb 18, 2005
  4. Phil B

    Virus, Virus, Virus.....

    Phil B, Sep 22, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    611
    DaveW
    Sep 22, 2003
  5. dfinc
    Replies:
    1
    Views:
    476
    dfinc
    Sep 30, 2009
Loading...

Share This Page