The email has the following characteristics
Subject: Escalation
Attachment: Fix_[random.virus.name]_[random.number].cpl
Note:
[random.virus.name] is a variable. It's one of the following strings:
* NetSky.AB
* Sasser.B
* Beagle.AB
* Mydoom.F
* MSBlast.B
[random.number] is a decimal number between 0 and 32767.
For example, the attachment name could be Fix_Beagle.AB_12345.cpl.
From: (one of the following)
o support@symantec.com
o support@nai.com
o support@norman.com
o support@sophos.com
Message:
Dear user of [email.server],
We have received several abuses:
- Hundreds of infected e-Mails have been sent from your mail account by the new [random.virus.name] worm
- Spam email has been relayed by the backdoor that the virus has created
The malicious file uses your mail account to distribute itself. The backdoor that the worm opens allows remote attackers to gain the control of your computer. This new worm is spreading rapidly around the world now and it is a serios new threat that hits users.
Due to this, we are providing you to remove the infection on your computer and to stop the spreading of the malware with a .special desinfection tool attached to this mail.
If you have problems with the virus removal file, please contact our support team at
[random.team]
Attach: [attachment.name]
Note:
[email.server] is avariable, if the worm try to send itself to the email address "someone@somewhere.com",
[random.virus.name] is a variable. It's one of the following strings:
* NetSky.AB
* Sasser.B
* Beagle.AB
* Mydoom.F
* MSBlast.B
[from.address] is the from address of this email
[random.team] is a variable. It's one of the following strings:
* Norton AntiVirus Research Team
* MCAfee AntiVirus Research Team
* Norman AntiVirus Research Team
* Sophos AntiVirus Research Team
[attachment.name] is the attachment name of this email