Jump to content
xisto Community
ysNoi

Email From "resume-thanks@google.com" I received an email with Thank you from Google...

Recommended Posts

Hi...

A minute ago, I received an email from resume-thanks@google.com with "Thank you from Google!"...

And the message was:

We just received your resume and would like to thank you for your interest inworking at Google. This email confirms that your application has been submitted
for an open position.

Our staffing team will carefully assess your qualifications for the role(s) you
selected and others that may be a fit. Should there be a suitable match, we
will be sure to get in touch with you.

Click on the attached file to review your submitted application.

Have fun and thanks again for applying to Google!

Google Staffing


and it has a Google Logo at the top of the message...

There is also attached zip file and when unzip, the file is document.exe...

I tried scanning the file with my Antivirus and it was found as TR/Spy.985600.2 and was moved then to quarantine...

Is there anyone here already experienced this thing..?

Is this email really came from Google?

Share this post


Link to post
Share on other sites

Is it really from that address?Maybe it's the reply to address? I think you need to check full headers information, as I doubt it's directly from google? But if it is, then google got hacked or something?Did you submit any resume for google? Or maybe google is spying :) which I doubt they would so obviously ;D

Share this post


Link to post
Share on other sites

Yes...I believed it's from that address...

 

I started receiving that mail since yesterday (1 mail) and today I got two mails from that same address.

 

Oh and I tried executing the file and tried a complete scan, I got this NvTaskbarlnh.exe residing on the directory shown on the image below.

 

Posted Image

 

Oh and it was detected as trojan by Avira.

 

I'm gonna block this address from now on... :)

Share this post


Link to post
Share on other sites

That's a forge email. It is easy to replace the from address and even the BCC and CC part of the email (you won't usually see the BCC hence the acronym for "Blind carbon copy").The only part of the mail that is hard to modify was the source email server. Google never sends exe files to anyone even my google earnings and my google ads incentives never had an attached exe file. Google's server was wise enough to open up zip files and check for exe files even if they are password protected.I have no idea what was your email service provider was and how you access the mail but if it allows you to open and view the original email just do so. Some email service/reader only allows you to view the headers and this is enough since the header information contains the source server, the time of sending, the timestamp and the timezone, the handshake server and the message digest id.

Share this post


Link to post
Share on other sites

You didn't tell us whether or not you applied to Google! If you sent your resume and got this mail then there's a good chance it's a fake, because Google doesn't send executables. And if you didn't apply and still got this mail, then it's definitely a fake because Google doesn't give out jobs to random people! (no offense) It's very easy to fake the destination address and this is a classic example of how such a thing can be done easily.

Share this post


Link to post
Share on other sites

i think spammers can use a tricking technique to get the sender address to change, believe i know i had a spam message which for some reason said that it was sent by me when i know that i didn't send it. i suppose the best thing is if you know you didn't even apply for a job then you shouldn't have an email. another thing is that google would have sent you a letter not a email as letters are more business like and more apporiate when it comes to offering someone a job. and a document would not be an exe so i'd get it removed by your scanner.

Share this post


Link to post
Share on other sites

Pretty awkward. I would really doubt that its real because of the fact that it had a bundled exe file. Since the exe was bundled, the spammer/viruser was trying to make you unzip it and have an unzipping program that would automatically run the document.exe, or you have a file browser that hides that file extension so it lookes like it is something like a Word document when it is really an executable.Don't know if thats any help, though.

Share this post


Link to post
Share on other sites

Google is also an invite only and an employee referred type of company. It is either you are invited by Google since they noticed that you are a skilled person for a job opening or at least 3 employee refereed you. The only time they will entertain a resume is when they are greatly lack a certain amount of man power.

Share this post


Link to post
Share on other sites

I have no idea what was your email service provider was and how you access the mail but if it allows you to open and view the original email just do so. Some email service/reader only allows you to view the headers and this is enough since the header information contains the source server, the time of sending, the timestamp and the timezone, the handshake server and the message digest id.

I think, it has to do something with our company email service provider because some of my co-workers also received this kind of email.

 

Oh and today, I got another email from different address. But it's kind of the same attachment.

 

I received another email from "update@facebookmail.com" and the message was:

 

Hi,

You have got a personal message on Facebook from your friend.

To read it please check the attachment.

Thanks,

The Facebook Team

The attached zip filename was "Facebook message.zip" but if unzip, I got the same document.exe file as in "resume-thanks@google.com"...

 

And to tell you guys, I don't have account on facebook using my company email address. It's kind of a thing I don't understand.

 

What should I do then? :) Please help me...I don't even know what will be the result of these things but I'm worried about what will happen someday.

 

Our email has domain of .co.kr and it was controlled I think in Korea since I'm working in a Korean Company.

 

You didn't tell us whether or not you applied to Google! If you sent your resume and got this mail then there's a good chance it's a fake, because Google doesn't send executables. And if you didn't apply and still got this mail, then it's definitely a fake because Google doesn't give out jobs to random people! (no offense) It's very easy to fake the destination address and this is a classic example of how such a thing can be done easily.

Oh and I'm sorry Simpleton, I didn't applied any job from them.

 

Thanks for the replies guys.

Share this post


Link to post
Share on other sites

Things that can be done with an email from an unknown sender:1. delete the email without opening the email2. delete the email without reading3. don't click on links in the email4. don't open attachements.5. delete the files that enter the computer when an attachment happens to be opened6. run a virus scanner7. run a trojan horse scanner8. run a keyboard logger scanneroption:9. install the operating system again to get a clean operating system without a virus and without any other malware.

Share this post


Link to post
Share on other sites

It's a know worm, named Generic.dx!uap, have a look here : http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=285399

Propagation via Email:

 

The worm uses its own SMTP engine to send email message with a copy of itself as attachment. The email attachments may be from any of the following address.

 

e-cards@hallmark.com

order-update@amazon.com

resume-thanks@google.com

thomas.gimpel@ferrari.de

update@facebookmail.com

invitations@twitter.com

<h4 class="tabsection-title">Characteristics -</h4>Generic.dx!uap" is worm that may propagate via Email, removable drives or network shares. Also, it drops and executes other malware.

 

When executed, the Worm connects to the site "whatismyip.com" to retrieve the IP address of the victim’s machine, and it injects the malicious code into the running process "explorer.exe" and using that, it connects to the DNS "120107d[removed]workofart.net" through the remote port 80.

 

The following files have been dropped into the system:

 

%Temp%\IXP000.TMP\document.exe [Detected as W32/Xirtem@MM]

%WINDIR%\system32\hp-513.exe [Detected as Hiloti.gen.e]

%WINDIR%\kbanet40.dll [Detected as Hiloti.gen.e]

And the dropped file "document.exe" copies itself into the following locations:

 

%WINDIR%\system32\HPWuSchedv.exe [Detected as W32/Xirtem@MM]

[Removable Drive]:\RECYCLER\S-1-6-(Varies)\redmond.exe [Detected as W32/Xirtem@MM]

Also, it attempts to create an autorun.inf file on the root any accessible disk volume

 

[Removable Drive]:\autorun.inf

 

The following folder has been added to the system:

 

%Temp%\IXP000.TMP

The following registry Keys have been added to the system:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Cyojileki

HKEY_LOCAL_MACHINE\SOFTWARE\HP145

HKEY_USERS\S-1-5-21-(Varies)\Software\HP145

The following registry values have been added to the system:

 

The Worm disables the windows User Access Control (UAC) alerts by adding the following value to the registry key.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\]

UACDisableNotify="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]

EnableLUA="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Cyojileki\]

Hdicu="168"

The Worm registers itself as an authorized application with the Windows Firewall by adding the following registry entry:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]

%WINDIR%\system32\HPWuSchedv.exe="%WINDIR%\system32\HPWuSchedv.exe:*:Enabled:Explorer"

The following registry entries confirm that the worm execute on every time when windows start.

 

[HKEY_USERS\S-1-5-21-Varies\Software\Microsoft\Windows\CurrentVersion\Run\]

HP Software Updater v2.7="%WINDIR%\system32\HPWuSchedv.exe"

[HKEY_USERS\S-1-5-21-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]

Fgoroxir="rundll32.exe "%WINDIR%\kbanet40.dll",Startup"

The following registries have been modified into the system:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\]

Start="4"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\]

Start="4"

The above mentioned registry entries confirm that, the worm disables the Error Reporting Service (ERSvc) and Windows Security Center service (Wscsvc) respectively.

 

It's removed by McAfee, have a look with your own Anti-Virus program - it's a good test!

Share this post


Link to post
Share on other sites

ah so thats whats sending those mails, that i would imagine would explain why it has a google adrees. afterall a worm would be easily able to change the send address afterall, the address that the end user sees might not be the same one as was used to send the mail. all likelyhood would be that the worm changed the address of the sender before it got sent out. you say thats impossible but it is only data so a worm coded to send this mail will have the required code to change the send address. it makes me wonder if the original address is hidden. i d also reccomend informing google since their filters need updating, i think google should have all files scanned beofre they come to your inbox so if they are dangerous they get flagged somehow.

Share this post


Link to post
Share on other sites

Thanks for that helpful information yordan...

 

I have checked my system based on that information and the results are as follows:

 

On

The Worm disables the windows User Access Control (UAC) alerts by adding the following value to the registry key.

 

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\]

UACDisableNotify="1"

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]

EnableLUA="0"

Do I need to change the values to the default setting? If so, what are the default values of UACDisableNotify and EnableLUA?

 

However, I still kept receiving the same email from google today...

 

My other co-workers also received some emails from e-cards@hallmark.com, resume-thanks@google.com,

update@facebookmail.com and invitations@twitter.com...

Edited by ysNoi (see edit history)

Share this post


Link to post
Share on other sites

Thanks for that helpful information yordan...

 

I have checked my system based on that information and the results are as follows:

 

On

Do I need to change the values to the default setting? If so, what are the default values of UACDisableNotify and EnableLUA?

 

However, I still kept receiving the same email from google today...

 

My other co-workers also received some emails from e-cards@hallmark.com, resume-thanks@google.com,

update@facebookmail.com and invitations@twitter.com...

Ouch! I did not really ask you to manually change the registry settings. I just wanted you to have a look at the McAfee site I mentionned, and check that symptoms like registry settings and files in folders were present.

Then, my real advice was "buy a real professional Antivirus system", and on that precise case McAfee has proved that he was efficient.

You can try the online free McAfee virus check, unfortunately I guess they will just tell you "hey, you have a problem, here it is, buy our software in order to fix it".

Now you know that you have the problem, you can try their competitors in the free market. I would start with ClamWinPortable, install the portable version, accept the database update, and perform a full scan of your c: disk, I guess it should at least find and remove the binary worm files.

Share this post


Link to post
Share on other sites

Oh okey that was clear...However, my most concern is on how to make things in a way that I could not receive those emails anymore.Yes I know that anybody will recommend using antivirus programs but how would you recommend on how to avoid receiving such things from those email addresses...Thanks a lot...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.