Today I received an email with the subject Thank you for buying iTunes Gift Certificate!
Rather than have OzEfilter delete this email at the mail server before it reached my computer, I decided to investigate. Whilst I was quite certain it was malware, I can't help feeling many people will be tricked with the free offer of an iTunes Gift Certificate.
The body of this email contains the following:
Hello!
You have received an iTunes Gift Certificate in the amount of $50.00 You can find your certificate code in attachment below.
Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.
iTunes Store.
This email is plain text which is the first clue that it is likely to be malware. A legitimate email from the Apple would prominently display their branding, but of course so would a more professionally created malicious email, so lack of branding is a clue that something isn't OK in this case.
Another clue is the email address that it was sent to. I use different email addresses for different purposes. This email address isn't used for anything to do with Apple. This reminds me of the days when I used to provide a different password to each video rental library. I'd heard of some libraries getting robbed and if their records were stolen, then customers using the same password in multiple stores left themselves open to people using their details to borrow movies at other local stores. This approach of using different email addresses is useful on the internet. Provide companies you deal with financially with a different email address and not the one you use publicly. Don't use a single first name as part of your email address as the increases your chances of receiving spam and malware.
The next clue is the email contains the attachment iTunes_certificate_197.zip and in the attachment is the program file iTunes_certificate_197.exe. There is no reason for any business to send a certificate which is a program. That's a dead give away this is potential malware.
A scan of the zip file using Microsoft Security Essentials returns no result. This is normal for new malware and I'd be pretty confident based on my testing of Microsoft Security Essentials, that other anti-virus software programs wouldn't detect the malware as well. That is why I use OzEfilter. It takes up to 48 hours for anti-virus software to be updated to handle the latest threats. The only thing that protects you from new malware is the action you take. With OzEfilter it means I check a summary of what I'm about to receive first before receiving it. As a result only a couple of malicious emails each year ever get close to my computer.
If you receive a free gift unexpectedly in the email just think back to the story of Troy and the Trojan Horse. This trick has been around for for centuries. You'd think we would have learnt how to spot a Trojan Horse by now.
You should delete these emails immediately you receive them.
- Kelvin Eldridge
Update: 12:11pm
If you do get caught with malware like this, the first thing I suggest to clients is to turn their computer off so it doesn't potentially infect other computers on the network. I then investigate and remove the virus. I see lots of people get their family and friends to assist and often they make things worse. I've also seen a friend go to two different professional IT support businesses and by the time they contacted me, it took a great deal of work to recover their data from their machine and get the computer working again. One of the IT support businesses even told my friend they'd need a new hard disk which was wrong advice.
If it was me and I didn't have IT knowledge, I would turn the computer off for a couple of days. Usually within 48 hours your anti-virus software company will update their virus signature file and that update may remove the malware. If that doesn't work I'd then take a backup copy of all the important data on the computer, as the computer may need to be repaired and sometimes that requires reformatting the computer.
I wouldn't suggest installing another anti-virus software package at this stage because in the past I've seen that make things worse.
As IT support can be very costly, for some home users I've suggested that once they have a copy of their data, sometimes the most cost effective way for them to fix the problem is to restore the computer using the restore disk that came with the computer.
For those people in Melbourne who require assistant I can check out their infected computer. For those elsewhere, you'll need to find a good IT support person. Someone who is recommended and has a track record. Sadly there are a lot of very average people providing IT services and many can make the problem worse. Before getting someone to fix your computer make sure you first get a backup copy of all your data if it is possible.
Update: 1:06pm
Have a great birthday anonymous Mac user. In terms of the malware affecting Mac computers, at this point in time I'd guess with Microsoft having around 90% of the operating system market, malware writers will focus on Microsoft operating systems. However, as malware writers start to target vertical markets this might lead to increased attacks against Mac computers.
I checked the malware file and it contains the line program cannot be run in DOS mode which would lead me to feel it will only run on Windows machines.
I wouldn't suggest for anyone try to find out if it will run on the Mac.
Update: 3:16pm
Anonymous wrote to let us know their roomie used Restore to fix their computer. Many malware programs stop Restore from working. If this is correct and this malware hasn't affected Restore, then using Restore is an excellent approach to try. Thanks Anonymous.
Update: 4:26pm
Beth. My guess is running the program on the Mac won't work and so your computer should be OK. I don't use a Mac and can't categorically say it won't run, but since the Mac uses a different operating system I can't see how the program would run.
I applied the Microsoft Security Essentials that recently became available. This update still does not detect the malware.
Update: 11.58pm
I've kept checking for an update to Microsoft Security Essentials every couple of hours and the update is now available which identifies the malware.
Thanks too Geert for the link to another site. Unfortunately I don't publish links to other sites without further research. I've found going to a site with virus information in the past to infect a computer. Recently I've seen an enormous proliferation of sites copying material from other sites. Even this blog post has been copied by at least one other site (slight editing) to pass off as their own. Some of these sites use others' content to generate traffic and others for scamming. My apologies for not releasing the comment. I trust you'll understand.
Just got the same email. Thanks for the heads up!
ReplyDeleteThanks Kevin,
ReplyDeleteI just received one of these and of course it looked suspicious. Finding your blog has confirmed it for me. Like you, I use lots of forwarders and multiple emails to try to avoid the spam, but in the last couple of weeks they got to me.
I've had a few bulk emails from friends with dozens of people in the CC: field (when they should be using the BCC: address field) and I suspect one or more of the recipeints were hosting a trojan horse program.
Thanks again for posting this.
Jeff
I just got one of these today as well
ReplyDeleteYip, just received this email - and the old saying "if it looks too good to be true, it probably is" came to mind.
ReplyDeleteWhy on earth would Apple be giving away $50 to each of their customers? Shareholders would be pretty upset with that move!
Thanks Kevin. I also received an email and went through the same thought process, although didn't get to the point of opeing the.zip file (almost did though).
ReplyDeleteRegards
Ed
So what can I do now? I thought my daughter in another state purchased this Itunes gift certificate for me for mother's day and i opened the zip file and then saw the .exe. I blocked it from changing my registry, but now my computer is acting very strangely! How do I fix it?
ReplyDeleteI have an Evernote account that like Kevin, I have an unique email account for. I started to see spam through this account a couple of weeks ago, and I KNOW Apple doesn't have that address. As Kevin stated it's probably a trojan, I've sent an email to me less tech saavy friends warning them. So many people use iTunes I suspect many will be fooled.
ReplyDeleteI just got this too, thank you for the post. I have a mac and would not be affected by this, still sucks that this is going around. just like the UPS email. I am stoked you put this up. Cheers
ReplyDeleteI just received it as well, being my birthday I opened it. DAMN! I have a mac, can the exe file cause damage?
ReplyDeletejust got the same email. was wondering whether it's legit. thanks for the heads up!
ReplyDeleteNorton Antivirus also scan this without any warnings.
ReplyDeleteThanks Kevin,
ReplyDeleteGlad there are people out there like yourself giving these warnings. Thought there was something suss about this one.
Will pass your message on to friends and family now.
Cheers
my roomie just received this and infected his computer. He performed a restore and it repaired it.
ReplyDeleteThanks so much for the info, mine went straight to spam and was wondering why it was in there knowingly it was from itunes. Just as well I posted a search and it lead me straight here, thanks once again
ReplyDeletewasn't very smart and opened this. I thought it was a Mother's Day gift. I have a mac, and it doesn't seem to be effected. I shut down my computer anyways because I got scared. Do you think I am ok or should I call apple in the am?
ReplyDeleteI just googled "received email itunes $50 gift card in zip file?" and got this pertinent blog as my fourth result. My husband also just received this exact email on May 6th, 2010 possibly as a birthday gift. It seemed suspicious to us as it was sent to one of his emails that he doesn't use at all except for one website that sells software. Also the lack of branding and text-only email, as Kevin mentioned, seemed suspicious as well as the zip file containing the so-called itunes gift card. Thanks for your post! We will be deleting the email and not opening the zip file.
ReplyDeleteThanks Kevin! to share this!!
ReplyDeleteand for posting this.
Mark
Thank you for confirming the suspicions I have of the identical e-mail I've just received! Thankfully, I smelled a rat at once as, had someone sent me a gift cert, the name of the sender would have been in the e-mail and the code it says is in the attachment would have been in the body text. Just going to shift+delete!
ReplyDeleteThanks for this. I was expecting an itunes certificate from someone I knew and tried to open the file (should have recognised from the text-only that it was suspicious but as I said, I was expecting one). Anyway I have a mac which couldn't run the exe file so I think (hope) it's ok!
ReplyDeleteI also thought this gift certificate came from my daughter, and opened it! AVG found 6 objects, but only could "heal" 5 of them, and and then displayed a message that I needed to restart my computer. When I did this, my computer opened strangely, and now only allows me to click the "log off", so the only thing I can do is to turn it off.
ReplyDeleteAny suggestions?
Carol
Hi Carol,
ReplyDeleteThe blog post was to alert people so they could avoid the ramifications of infecting their computer. Unfortunately since I didn't remove the malware from any client's computer I don't have a solution I can publish.
I would suggest if you can't fix the computer yourself, to take it to a IT support person you trust.
Kelvin Eldridge
I got this too and thought it was related to a certificate I bought recently so I opened the email. Luckily I was warned of the threat by our antivirus software and didn't open the exe file. But I've noticed now that both my and my husband's iPhones won't sync properly - hope it's not something to do with what I thought was this near miss??? Is anyone else having a similar problem?
ReplyDeleteUPDATE: A new version of this virus started spreading yesterday and is not yet detected by the anti-virus program I use. Based on previous experience, that will be the case for many other anti-virus software vendors as well.
ReplyDelete- Kelvin
UPDATE: Sat down at the computer tonight and downloaded the latest update to Microsoft Security Essentials. The malware is now identified and removed.
ReplyDeleteKelvin
UPDATE: Received another variation of the iTunes malware email. This time with the attachment Gift_Certificate_251.zip. This was not detected as malware by Microsoft Security Essentials and may be missed by other anti-virus software packages as well.
ReplyDelete- Kelvin
UPDATE: Microsoft Security Essentials now detects and cleans this malware.
ReplyDelete- Kelvin