Mysterious emails!

I have been using KIS 6.0 for sometime now and my email client is MS Outlook 2003, recently upgraded to MS Outlook 2007 with Office 2007 - KIS is set to scan all emails and mailboxes.
In addition to Kaspersky Iinternet Ssecurity 6.0 I have the following on my PC:-
Spyware Blaster
Spybot Search
Wormguard

Over a period of some weeks I have noticed that Outlook reports sending emails that I know nothing about, usually 4 at a time in quick succession. I have no idea what these emails are I just see "sending 1 of 4" and so on ... of course I am concerned.

I have done full PC scans with KIS 6.0 and also with MS Live One Care and the MS Malicious Software Removal Tool but nothing has been found.
Does anyone have any idea about this seemingly suspicious activity and more importantly what I can do about it?
Is there a facility to force seeing an email before it is sent?

 

Post this in Kaspersky's forum along with a HijackThis log... HijackThis logs are not aloud on Wilders.

Edit: Kaspersky forum's gone a little titsup the last day or two... read this Support page for more information of how to check if its a virus or not: http://support.kaspersky.com/viruses/computers?qid=193238610
Also, make sure you send a description of your problem... (what you posted in the above post)

 

Strange.
Seams you have a nasty worm, but if so Kapersky should be able to find it.

P.S. Do you have 4 e-mail acounts in Outlook?

 

More incline to say you have a zombee installed that using your pc (and Email)
if you cant find it simple thing may be Change your mial ID (new one) as some one has yours. and is using it to scamm ather pcs , (trojan) also check ,check to see if Pop3 port is open! 110-Make shure its CLOSED at minn Better if stealthed-ather thing get hold of a mial filter program to allow or block ,lett me explane
no one can send ,use,my emial ,unless i send one ,and the recever has to use that sent emial back ..or any thing els will give a pearson the no address (non found) non exsistent---and bounce back at the sender!
I amd inclined to say you Got a trojan on your system! That every time you log in its Set of to Do what ever its made to ..
last resort Reformat start over ...
Good luck and i hope you find whats Doing it...I know thats the easy anser
and not meant to BE .I have 5 pcs that are on the nett when i use 1 of them (nott netted But stand alone) and 3 have a system restore build into them (motherbourd bios) Not the OS one ..there Stored is my running installed programs.if for what ever reasion I think something has gotten in the hard drive that should not be there ,then at boot time i hit F9 and restore ..
Very handy ! i update this every once in a while ,save reinstalling any thing new ..So i did not mean it as a easy cop out anser...
itsmej

 

Hi rjbsec

It sounds like you have a hidden(rootkit) bot running on your PC,if the timeline you suggest involved it is quite possible that you may have wincom32.sys rootkit loaded as it was doing the rounds recently(25/1/07+).

When i have loaded this rootkit malware onto my 'puter KAV 6 has been *blind* to it on maximum sensitivity scan ,
I would be very surprised if any of the other softwares you have named would be able to *see* this trojan either once it is loaded


Just to rule in/out this scenario download+update defs of the free version of the following software>>>
http://superantispyware.com/

Next run a full system scan from safe mode to see if it turns up this/any hidden bots.If it finds any threats can you copy& paste the scan log generated for review.

HTH

 

as the saying goes prevention is always better than cure
didnt pdm flag any odd behavior recently?
if you have a rootkit it will still be able to be seen by kaspersky due to the selfprotection as shown in a presentation by kaspersky vs rootkits at there website.
https://www.wilderssecurity.com/showthread.php?t=157345
read the pdf and then do the specify an object to scan.
see if the folders match up to the ones in windows explorer if they dont and there is a folder with odd files shown in kaspersky then you have got a rootkit
lodore

 

Hi Lodore

Despite what is written in PDF which lets face it is purely based around HacDef Rootkit detection in reality KAV detection of a wider range of RK malwares is *weak* at best.

Here are the most common RK's i am picking up in the wild at the moment and results of KAV scans with current defs loaded.

Rustock A (lzx32.sys) Not detected
Rustock B (lzx32.sys,huy32.sys) Not detected
Wincom32.sys Not detected
Haxdor(1) (Pasksa.dll +p81eskse.sys) Not detected
Haxdor(2) (Protector.exe+ntio256.sys) Not detected

The truth is Kaspersky is a great AV and is getting stronger against Bots all the time but it is not a good ARK tool against the new stuff once it is loaded.Maybe in a future version they will improve this capability


BTW your absolutely correct about the best form of ARK is not to let them install in the first pace

 

fcukdak have you sent the samples to kaspersky for analisys?
since you have tested them against kaspersky you might as well send them to kaspersky so they can detect them
lodore

 

Yes,if you follow the malware listserve info trail you will find that Kaspersky get all my samples that are uploaded to malware listserve and IRC they will get copies of all samples uploaded to VirusTotal & Jotti services

We need to break down these malware files into 2 seperate types,you have the droppers(installers) which if they are known quantities any AV/AT/ASW worth their salt running in realtime will block them from delivering their payload if they *know* that file.

The trouble is once a dropper has gone past realtime defenders and dropped its payload(loaded the rootkit/trojan) which happens when the *dropper* is not known by the defending softwares databases.
At this point it boils down to whether the scanning software has the capabilities to detect and action a removal against the rootkit/trojan.

At this point those trojans/rootkit malwares listed in my previous post are not detectable by Kasp AV6.
Net result it is *blind* to them once they are loaded and filtering kernel traffic to hide their existance/activity on a computer.

Please do not take this as an attack against Kaspersky afterall i have their AV installed on my computer for on-demand use,it is a very good AV software but like most AV softwares they are *weak* if not totally ineffective against loaded rootkits/trojans.

HTH

 

Agree with fcukdat... Kaspersky only detects rootkits via PDM (when executing the rootkit)... once the rootkit is executed and embedded, Kaspersky wont detect it anymore... most AVs are bad at this, rather use a rootkit scanner rather than scanning using antivirus once you have a rootkit executed.

 

I don't use KIS but some of these people do. I am wondering if you could if you could adjust the firewall so you could control what is sent from your EMail. Perhaps you could set the permissions to ASK in your firewall Do you need to have server permissions set to get EMail working properly ? Also you could try some trojan scanners as has been suggested. SuperAntiSpyware works well & might find a trojan or even a root kit. A2 free is also a very good antitrojan. I suspect if you scan with A2 & SAS & find nothing you don't have either root kits or trojans. I have seen the same phenomenon with my wifes Email She uses ZoneAlarm. I could find nothing wrong no malware of any kind . I really doubt that if you are using KIS ( one of the best security suites out there ) there is anything wrong. You also could try the Kapersky forums perhaps they could explain this.

 

so i guess nod32 antistealth technology cant catch it either?
lodore

 

Correct with reference to early Rustock B build but i would guess this applies to all B builds once loaded
Nod2.7 vs loaded rustock B Bypassed
http://forum.sysinternals.com/forum_posts.asp?TID=9731&PN=1&TPN=1

*don't try it at home unless you are 100% sure what you are doing

 

Once the RK is loaded, dedicated RK detectors would be the best. KIS/KAV PDM can avoid a RK from loading its service but you would get an alert just on execution.

And also, are you using the latest version of KIS? (MP2= 6.0.2.614) Because as far as I know it has Mass-Mailing detection capabilities.

See:

http://forum.kaspersky.com/uploads/post-28040-1170816752.jpg

 

Hmm time to update

I will test vs my collection of creatures in my malware zoo tomorrow maybe

 

Don't like this zombie behavior you describe, AT all!

If it were me apart from panic what would I do?

If I have 2 PC's with internet I would shut the connection off on the zombie PC, like NOW! You have no idea where these email are going and what they are sending about you!

Once that is done, I would use 2nd PC to download as many ASW and AV's Cleanup tools as possible and copy the installers and executables on to the zombie PC via cd or dvd. Get blbeta.exe and ice sword. + BitDefender V8 and AntiVir.

Then the following on the zombie PC. (let's call it Z_PC)

1) backup to dvd or external drive all critical user data
2) run all existing AV's and ASW's again.Close your existing AV.
3) run CCleaner, and any registry cleanup tools you have.
4) install and run blbeta
5) install and run ice sword
6) install and run BitDefender V8
7) close BitDefender (2 AV's are bad news)
install run AntiVir

Restart your PC in Safe Mode do 2,3,4,5,6,7,8 again

Reconnect to internet

1) turn off your email, update windows install any security or criticals
2) update all the security tools, disconnect
3) run them all again
4) restart run all again in safe mode
5) use Task Manager to see if any weird programs running (google name to check)

Test to see if email problem gone

If all fails, reinstall Windows and reformat PC in process, reinstall all valid applications get a solid I/O firewall. Use different email client like Thunderbird

Good luck!

 

Altough it seems that NOD 32 2.7 is bypassed by a loaded Rustock, does NOD 32 reports discrepancies between number of files scanned with and without AntiStealth technology?