This past Friday also brought a new Bagle variation (what else is new?). W32/Bagle.U-mm brings up the Windows Hearts card game when it infects. Bagle.U comes with blank message body, and a randomly named .EXE attachment. Like other Bagles, it opens a back door, and attempts to contact various web servers. It has been rated a medium to high threat by antivirus vendors. See our Top Threat W32/Bagle.U for more information.
A new version of the Sober virus, Sober.E was starting to spread on Sunday. Originating in Germany, it was pushing worldwide. This version differs from previous ones in that its completely in English. The worm has been rated a low-to-medium threat by several antivirus vendors. See our top threat for more information.
The latest Citibank phish weve seen actually has a real sounding web name. The simple e-mail comes with a link to a deceiving full URL– https://web.da-us.citibank.com/signin/citifi/scripts/email_verify.jsp. The underlying URL however, is http://www.securecitibank.us/scripts/email_verify.htm, which looks very official. However, it resolves to an IP address (184.108.40.206) at an ISP in Australia, a phishing source weve seen before.
Another phishing expedition, coming out of South Africa, is a much more creative e-mail claiming to be from BankOne support. The HTML e-mail (Figure 1) uses logos and clip art linked back to the real BankOne site, though when you enter your private information and click on the button, it is routed to an IP address only (220.127.116.11) registered to an ISP in Johannesburg, South Africa. Both the Citibank and BankOne spoofed sites were not operating as of Sunday 3/28/04.