Your internet access is going to get suspended virus
September 11, 2008 97 Comments
A new virus variant is being distributed with the subject “Your internet access is going to get suspended” and contains the following message:
Your internet access is going to get suspended
The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.
We are aware of your illegal activities on the internet wich were originating from You can check the report of your activities in the past 6 month that we have attached.
We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.
Sincerely
ICS Monitoring Team
The message contains a zip file named user-EA49943X-activities.zip and after extracting the file is user-EA49943X-activities.exe. File names can be different with each email.
The malware registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe. The files cabpck.dll (known as theMal/TinyDL-T by Sophos), k86.bin and krnlcab.sys (known as the Backdoor:Win32/Haxdoor by Microsoft)) are created in the %System% folder.
A directory %Temp%\msi_setup will be created and a new connection with some host is made: http://****-****.biz/jerken/data.php?trac kid=706172616D3D6 or http://*****.net/22/data.php?trackid=7061 72616D3D636D64266C616E6
Only 8 of the 36 anti virus engines detect this one. F-Secure recognise it as Suspicious:W32/Malware!Gemini, TrendMicro as PAK_Generic.001, AVG as SHeur.CIKH.
Virus Total permalink and MD5: 6ba40e29db8fb6f9145fde7a45708875.
Thank you for this information. I received this email today and was sure it wasn’t right. You were my first hit on google. Thanks!
I got this today also. Great job. I knew it was fishy but my anti-virus didn’t pick it up. Thanks!!!
Thanks for this post. I knew this was a virus, but it was nice to see the first thing on Google was documenting the very letter I received.
Thanks for the info!
Thanks as well, very smart mail, also nasty … So thanks for the post
dear mxlab Team,
Thank you very much for your information.It useful for me to alert my users.
Sumalee-Bangkok
How to remove this virus from machine? Please help.
Thankyou for the info…Just got this email and yours was the first hit!!!
Thanks!
I got the same r-mail today, how dumb do you think people are???
By the way any one know what this virus/trojan does??? or do we have an ID10T that has loaded it up for us? if so let us know. Thanks …
Thank you very much. I got this email today and the info on your site actually saved me. Thanks !!
Thanks for the heads up. Knew something was dodgy with it as I don’t ever download anything anyway! Honest!
Thanks, I Had this e-mail today.
je tiens à te remercier et comme je suis française, je le fais en Français (de toute façon mon anglais est……….)
Je viens de recevoir ce mail à l’adresse de mon travail. Si le reproche était fondé, on pourrait se poser la question, or ce n’est pas le cas……….mais qui plus est celui ci est fait en anglais, d’où ma suspicion.
Avec tous mes remerciements.
Cordialement,
Catherine
Thanks!
It is quite very useful info.
I got this email today too…
Regards,
Ran
[fr] Salut. Ben pareil, merci pour l’info : je viens de le recevoir ce matin et une ‘tite recherche sur le net m’a conduit ici…. Cool!! En tout cas, ça va troller sur ce virus, vu que des actions légales et réelles sous cette forme existent déjà (déjà vu en France)….
[en] Thanks a lot. I’ve received the mail this morning. As i was wondering if that is a legal concept or not, i’ve searched online and here i am…. Anyway, quite weirdo to get a pseudo ‘report document’ that is a .exe…
Just Received this email, first hit in google and here I am, Thanks alot!!
Même chose pour moi, reçu ce matin, et expédié directement à la poubelle (on ne va quand même pas se mettre à ouvrir des PJ zippées uniquement parce qu’elles proviendraient d’un soi-disant Service de Contrôles des Activités sur le net
Mais quelque chose me dit qui va faire des ravages celui-ci …
En tout cas, merci pour l’info, et la réactivité !
I got this virus today in my mailbox and was sure there is a virus in the attachment although my av program didn’t catch it.
As a rule of a thumb i do not open attachments in messages from strangers.
Thanks for the information
Also rec eived this virus today. My BitDeffender didn’t “smell” it.
TY
I have just received the same letter.
Thank You for the info.
Next! Got a notice in my mailbox this morning. I had a good laugh when I read those phony information. No need to suppress it, my F-Secure system had already done the job for me… BOOM, antivirus:1 Trojan:0
I have just received the same letter.
Thank You very much for the info.
I received this message today. How stupid must be someone to open this message. It’s not recognized by McAfee Security Center… That’s not cool…
Thanx a lot ! I just received today and I knew it was a virus, but said i must check in google what is this ICS Monitoring.
Is there any way to stop these kind of virus? Or any way to take any legal action against these people?
I also got this email, luckly I never download zipped files from emails anyway but thanks for preventing my curiosity from killing the cat so to speak
I contacted my internet service provider and they said it was an authentic email!
thank fuck for that – I thought they’d caught me….
seriously though…copyright theft doesn’t help the artists you like to make more work…therefore stemming your long term enjoyment…
if you like an artist you should pay for their work and encourage them to do more…and I’m talking about both music and porn….
…and it is a pretty bad email – the initial zip being not detected by Norton…
Thanks for the info. I received it and was thrown back at first because i have only had net access at my new adress(abroad) for 3 months. Googled and came across your website with the details.
Thanks
Thanks guys
Our mail scanner picked it up but must say was a bit shocked.
don’t think the boss word have been to happy.
Received the email today on our business adres.
Scared the s**t out of me :s
Searched for “ICS Monitoring Team” on Google to make sure if it was safe or not.
You were the first hit on Google
Norton did not detect this email as an virus.
Thanks.
thanks, keep up the good work, had this one too (didn’t run it) and sophos missed it. it is a upx2 packed file within a zip attached to the message
Hi,
thanks for the information. It’s a pitty that I checked after I had opened the attachment. My trend micro internet security didn’t detect anything. What can I do?
Thank you for your help!
merci pour l’info j’ai envoyé à la poubelle l’eamil
thank you for your help
Thanks for this post! I got this message twice today (our spam filter is worthless). Naturally I didn’t open it, but boy was I mad! Why can’t the people who come up with these things channel their intelligence into something good?
Once again proves malware/virus infection really has to do more with user error then what OS or security software are using or not.
Ideas and Revolution – If you’re not outraged you’re not reading this blog
Thank you. I too got this email today and was suspicious. your site came up first on google.
Merci pour votre aide précieuse.
thanks, appreciated
+1 in France
“If you don’t know the sender delete it, don’t use off-line mail client (as Thunderbird, Outlook express and others), use only on-line mail client like zimbra..”
cool m8 how you put stuff on
Hi thanks got this email this morning was a bit curious as i check emails online and delete garbage before i download email and my virus scanner picked this up AVG free version which i am happy with. Thank you for info.
regards.
Pingback: Top Posts « WordPress.com
Never got such a message! I don’t use MS IE and I surf never with administrator rights and the Scotty Winpatrol always informs me if something wants to install a plug-in or anything else during a browser session.
I never install things I haven’t read about or for the sake of watching a video, because this can make other software like video cutting software disfunctional.
An easy backup programm like Acronis or Drive Image adds the convinience if something went wrong badly.
I don’t believe in Viruses, Trojans and Botnets – I tried to infect my setups and guess what it never worked.
www americanfreepress net worth your time!
Hi,
Anything with a zip file is going to be very dodgy if its from an unknown source.
I tapped in the email address into google and the actual email did in fact exist, however it originated from someone working on a cocoa plant in Malaysia. The ICS are everywhere eh! LOL!
Does this mean this guy is infected and the virus is propagating like this?
Thanks for this information, I’m in France and receive it yesterday 11:00 am, I was just looking my SPAM message and I found it there for chance.
Good advertising in Google!!!
Thanks very much!
Thank you for the info!
Thanks for the warning. I received this email today. It was in my junk folder.
I must be further down the food chain because I didn’t get the email until today, spelling errors and all. It has mutated to:
Your internet access is going to get suspended
The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.
We are aware of your illegal activities on the internet wich were originating from
You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.
Sincerely
ICS Monitoring Team
Thanks for the detailed description. Our Ticket Office received this email on Thursday (11th) and waited to hear from me before opening. Like so many of the others, the executable file was a dead give-away,
Nice one chap.
The spelling and grammar on this particular ‘email’ made I laugh. Puny effort.
Thanks for cofirming my suspicions, it didn’t look right when I read it this evening,
bad spelling was one on the reasons.
(they could at least learn English, to make the game more interesting).
It was immediatly deleted, then the delete bin was emptied.
They have to be brighter than this !
Big Al said ‘Puny effort’, I have to agree.
D
I just got the same e-mail. I use AVG and it picked it up right away. Thanks for the great site, it is nice to get some information on the virus.
I use no antivirus software and received this ;(
I ran the file, but it won’t run under linux, even tried using WINE
Any ideas how to get the .exe. to run ?
Thanks for the info.
AVG picked it up as a threat.
I googled for some help and found this site. Great work.
I was suss at spelling of wich.
Keep up the good work.
Steve from Australia
Luckily my free AVG picked it up today. the email looks dodgy anyway but it’s still good to find out what it is and what it does to you. Thanks for the info.
I must be really lucky – I’m in France and I’ve had it twice. Kaspersky picked it up.
Pingback: Warnung: Besonders gemeine Viren-Mail | datenschmutz.net
The originator email address is a respected USA newspaper company for the email above that I received today. I have AVG so I was lucky it was picked up!
I investigated the originator and sent them a report, but as yet have had no reply. I have reported the email to UK authorities.
Thanks for your info.
I got this.. I was surprised..!
Always good luck !^^
From South Korea
Thanks for the info. I knew it was bad because of where it came from and the email it was addressed to, but it’s good to confirm. You are the first on a Google search. Thank you.
I got this last week like everyone else, and I ignored it, as I have a Mac
Hmm good to know…
Shits fucked up all around…
When it rains it pours!!!
http://andthisismyamerica.com/2008/09/16/what-a-start-to-the-week/
Thank You for the post. One of my clients actually called today and asked about the e-mail. When I searched you guys poped right up and I could give them the info and what my source was. Thanks Again
Pingback: ITworx.ca » Blog Archive » There is no ICS Monitoring Team …
As president I promise I won’t let any alien virus pass immigration in the US.
Vote for me.
Thank you for your support.
Thanks for your post. I was considering a reply “f**K u” to that emailer. However, just wanted to be 110% sure that’s virus. Cheers!
Following is the procedure for the removal of the ICS Monitring Virus:
1. Start your computer normally then you saw the blue screen. Note down the file name mention in the blue screen.
2. Start your computer in SAFE MODE and go to the Device Manager.
3. In Device Manager go to VIew Menu and click on Show Hidden Devices.
4. Find the previously noted name in Non-Plug and Play Drivers.
5. When you find on Uninstall the service.
6. If you get again blue screen repeat the procedure from no.1
Thanks
Adeel
Thank you ever so much, got the email today and I was sure it was a virus, google the title and ya site was at the top.
Keep up the good work
thank you google.. i went whats this then google it, i too knew it wasnt right..
why do they do this are they that bored lol
tks google for being there…
from new zealand
Thank you for this posting it saved my life.
Thanks. Like others, I suspected a virus as there was a .zip folder, but I first got it on my mac and I have no virus software on it. Then I forwarded it back to me, and checked on my pc, and Kaspersky picked it up and offered to zap the zip folder
“Your internet access is going to get suspended”
Ha ! et pourquoi ?
Je ne télécharge jamais rien .
Demandons vite à Google ce qu’il en pense, j’avais justement besoin d’un exemple pour mes cours d’info, afin de montrer à mes étudiants qu’il était facile de vérifier ce genre de courrier
Voila c’est fait
Many thanks
Merci!
France
Thanks,
I had this today and guessed it was a virus of some kind so did not open it. I also emailed the domain admin from which it was sent to warn them what was happening…..I guess they run an open relay.
Garnet
Thank you
how to remove this virus?
thx for the head ups
http://www.rapmonster.com
Thanks for letting me know about this. I received this email last night and searched for it, finding your website. I get ebooks at showmemyebooks.com with the virus list, but this one was new and not on there. I’m going to submit it and request another ebook created.
Bonjour,
OK idem pour moi un petit tour sous Google et hop voilà la réponse…Il fallait s’en douter cela puait le VIRIS à plein nez, mais AVAST n’a rien vu en tous les cas en Anti virus de messagerie… Je n’ai pas pris le risque d’enregistrer le ZIP pour le scanner…Bon allez ! Direct poubelle!
Merci pour l’info!
Thank you for the Information, and confirmation Just deleted at once!
d) all the above
Thanx
I use a G5 PPC so it doesn’t bother me personally but it is important to know so that I do not pass i t along to others.
peace
Thank you for your message.
Yours came up first when I googled “Your internet access is going to get suspended”.
Great job.
Got the mail 5 times today. It looked dubious immediatly. Googling gave me this site. Thanks for putting this usefull info on the net
Got the email today.Was very suspicious as do not download music. Google picked up your site when put in ics monitoring. Thanks. Feel sorry for those that opened the zip
Hi Guys i have to say a huge thumbs up to Kaspersky it picked and disenfected this virus straightaway huge thanks to everyone here as well for the information, these people that make these viruses are sick and if caught she be fined heavily and not allowed too have acess to a pc again
I just got this one today…it has changed a bit in that now the attachment is a txt file, no doubt it’s still as harmful but my AVG caught it and even if it hadn’t I never open files from folks I don’t know. Snopes is a huge source that most folks I know use and there was nothing I could find on their site pertaining to this one..glad your site was the first on my google search after coming up empty on Snopes.
Thanks
Hey guys, luckily my trend micro office scan detects it. But how te heck “it” got my mail add?
hail MxLab.
cheers
Just found more Informations about this virus, but seems to be old… look:
http://www.tutsi.de/your-internet-access-is-going-to-get-suspended-ics-monitoring-team/2008/11/09/tutsi-blog-aktuell/
can never have to much info on viruses… thx
Thanks
Thank you. I just received this email and had to check it out.
My dad received this e-mail today, and I thought it looked suspicious… I mean, look at it! There’s so many friggin’ spelling mistakes. You’d think a company as serious as finding people conducting illegal activities on the internet, could at least SPELL CHECK their e-mails before they send them out
.
Thanks, but how to fix it? I am using MS security essential…thanks