Comments on: An official looking e-mail from the IRS may be a virus

By: John

John — Thu, 03 Jul 2008 20:51:27 +0000

Try uploading the file/attachment to this virus scanner:
http://www.virustotal.com

By: Heads-up: IRS Spam Now in the Wild — MiPro Unfiltered

Heads-up: IRS Spam Now in the Wild — MiPro Unfiltered — Wed, 02 Jul 2008 17:38:16 +0000

[…] Deeper research shows that it quite possibly might be a trojan horse that installs a virus; if you read the comments in the previous link, you’ll see different delivery mechanisms. Some are PDFs, some ZIP files, some DOCs. Regardless, it seems as if the object, regardless of its wrapper, installs some sort of malicious payload. […]

By: Monique

Monique — Sun, 18 May 2008 10:47:35 +0000

This spam mail is also active in The Netherlands!

By: Andy

Andy — Thu, 24 Apr 2008 15:04:12 +0000

My head Accountant recieved this messsage just minutes ago, nothing was opened or extracted but it is a concern of course, you would think my spam filter would have caught this…

By: Mark Adams

Mark Adams — Wed, 16 Apr 2008 17:52:27 +0000

Steven,

The removal requirements could vary. I would recommend hiring your local IT security response company with experience with removing viruses. If you still have a copy of the virus, it will be easier. You may also try a commercial anti-virus product and giving the vendor a call for assistance.

You may also want to see this presentation from Microsoft on advanced malware removal.

By: Steven

Steven — Tue, 15 Apr 2008 19:55:11 +0000

OH, here is what the e-mail

From: jim.lanton@irs.gov [mailto:jim.lanton@irs.gov]
Sent: Tuesday, April 15, 2008 11:14 AM
To: Steven
Subject: Re:company report for ABC PLLC

——————————————————————————- (These lines were the IRS logo)

To : Steven
The report is attached.

You need to complete the fields about Watson & McDonell PLLC income.

Jim Lanton
IRS Fraud Department

By: Steven

Steven — Tue, 15 Apr 2008 19:41:59 +0000

Hi,
I found your site because I opened a samilar e-mail with the company_report.zip file and now I am pretty sure it has infected my computer. IE is really slow and takes up 25% of the CPU process when I open it. There is a lot of svchost.exe processes. I have not been able to find anything removal tips. I found an artical at Symantec for Backdoor.Robofo, aka, TROJ_AGENT.AZZZ, but I am not so sure it is the same thing. I check the files and registry and didn’t see any of the entries suggested by symantec that Backdoor.bobofo would drop or modify.

any ideas?

By: Andrea

Andrea — Mon, 07 Apr 2008 22:14:20 +0000

Thank you for taking the time to post this. I had this in my inbox 1 day after filing and was suspicious of it. I know better than to open attachments, but when you see IRS and taxes, you just want to do what needs to be done to make it go away:) Thanks again.

By: Nick S.

Nick S. — Mon, 07 Apr 2008 20:08:54 +0000

Our accounting person received exactly the same e-mail (with our correct company name filled in) on the afternoon of the 3rd. I was just informed about it this afternoon.

Symantec Antivirus Corporate Edition v8 didn’t detect it either. (I know, it’s from 2002- but the definitions still get updated- current definition file is dated 4/4/2008.) I scanned the .zip first, then opened it in 7-Zip and extracted the .scr file, and scanned that as well. No warnings.

It has the correct company name, and it’s addressed to the correct person at our organization- maybe a workstation inside the IRS is compromised and sending mail to people that agent has been in contact with? Maybe the agent’s name is Timothy Johnson…? It would make it more legitimate if people actually had contact with somebody by that name previously.

By: Mark Adams

Mark Adams — Sat, 05 Apr 2008 00:58:32 +0000

It’s always a good idea to report e-mail borne malware and spam to the orginating IP address’s ISP. However, not everyone has time to do this, or the knowledge necessary to determine which IP address connected to their e-mail server or who to report it to. Luckily, it sounds like you do have that knowledge. Although it’s unlikely to lead to the culprit, it can slow down the spread of the e-mail and may even result in someone finding out that they had a security problem, as most of these are sent from compromised computers where the computer owner had no idea.