You have successfully updated your password

Today I received a phishing email with a ZIP file attached (called 'updated-password.zip') Our Exchange sever is protected by Ninja and it will normally block these from the end user if they have a virus payload. So I was a bit stunned to see it. Here is the original email. You can easily tell that this is not a valid email.

From: service@psu.edu [mailto:service@psu.edu]
Sent: Monday, April 06, 2009 9:56 PM
To: Vince Verbeke
Subject: You have successfully updated your password

Dear user vcv1,

You have successfully updated the password of your Psu account.

If you did not authorize this change or if you need assistance with your account, please contact Psu customer service at: service@psu.edu

Thank you for using Psu!
The Psu Support Team

+++ Attachment: No Virus (Clean)
+++ Psu Antivirus - www.psu.edu

Being the curious type I wanted to see (safely) the contents of the ZIP file. I have a program called Sandboxie that allows you to run programs in a Sandbox. I then downloaded and ran the 'updated-password.zip' file to see what immerged.

All I received was a text file that said the following:

The file "updated-password.htm                                                                      .exe" was found to be infected with W32/Mytob.PR@mm (exact) by Authentium and has been quarantined.

Another email engine, protected by Authentium, had already cleaned the virus before our Ninja software was able to see it.

What is COOL though is the file name. Note how it would have just looked like 'updated-password.htm' to a cursory glance.

But there are 70 SPACES in the file name to mask the .EXE at the end. So they intended for me to double click on a 'safe' file that ended in .HTM when instead I would have been launching a malware EXE installer.