TotalBusiness.com / Traders World Monthly - "Photo Approval" email

30th January 2006

An email has been circulating for some months now, purporting to be from a website called TotalBusiness.com. The pitch of the email is very similar to the following:

From: TotalBusiness [editor65@totalbusiness.com]
Sent: 31 January 2006 00:32
To: [removed]
Subject: approval deadline

Hello,

We have been trying to get through to you on the phone today but you must be out at work, your photograph was forwarded to us as part of an article we are publishing for our February edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We've attached the photo with the article here.

Kind regards,

Jamie Andrews
Editor
www.TotalBusiness.com


**********************************************
The Professional Development Institute
**********************************************

or alternatively,

From: "J Andrews" <jamiez@tradersworld.com>
To: [removed]
Date: Mon, 30 Jan 2006 15:20:00 -0800
Subject: Photo

Hello,

Your photograph has reached editing stage as part of an article we are publishing for our February edition of Traders World Monthly. Can you check over the format and get back to us with your approval or any changes?

If the picture is not to your liking then please send a preferred one.
We've attached the photo with the article here.

Kind regards,

Jamie Andrews
Editor
TradersWorld

***************************************
The Professional Brokers Essential
***************************************

Attached to the message is a file, typically a ZIP archive or executable with a name similar to article.zip or Photo and article.exe.

This is not a legitimate email, and the attachment itself is a dangerous "trojan horse" - a virus-like application designed to open up your PC to hackers and steal personal data. In this case, we submitted the attachment to VirusTotal.com which came up with several possible matches.

This appears to be a variant of the Stinx-Q / Breplibo / Breplibot trojan. At the time of writing, many popular anti-virus applications cannot detect this trojan.

TotalBusiness.com appears to be completely unrelated to this trojan message (although they do have a Spamhaus Listing at present for posting allegedly unsolicited newsletters) and an innocent party. Similarly, Tradersworld.com are not related to this email in any way, and their name is being abused by the spammers.

If you have opened the attachment that came with this message then it is very important that you seek help from a qualified person in order to disinfect your system. You should switch off your PC until it can be disinfected, as the attacker has the ability to remote control it.