Something very strange

Discussion in 'malware problems & news' started by Detox, Aug 31, 2002.

Thread Status:
Not open for further replies.
  1. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    I think this is the right section of forums.. if not move plz.. cause it might be some kinda spam.. anyway I got two emails today in my regular account.

    Both are from "Mail Delivery System"

    and the subject line of each reads "Undelivered Mail Returned to Sender -Schuitema"

    the message body is as follows :
    with the exception that the second message says it was returned from "Barbie801@hotmail.com"

    and each has an attachment "Schuitema.eml" both of which are identical in size - 29.1 kb. Neither Avast nor AVG alerted, but I have not opened either attachment. Obviously, I do not know anyone with these email addresses and while the msg is almost convincing it just isn't kosher... Other than the fact that these emails were never sent and I have no idea what "Schuitema" means, bounce msgs always tell you what kind of error that recipient encountered. Anyone know what this iso_O
     
  2. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    wasn't it klez that when infecting a machine it emails all the people in the contacts folder, but uses the return address of on of the other contacts. This has the effect of people getting email from others but think it is you. Mail servers reply to the return address which was you. I have gotten them before as well. Usually this all means that someone you know has been infected. The attachment may be a copy of the original message. In it, the message header may reveal where the original email came from.

    Alternately, the attachments could be malware.

    One way to find out ;)
     
  3. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    I don't feel secure enough to go opening them, especially when my 2 cheapy AVs didnt say a thing about them, and both scan email attachments upon receipt.
     
  4. FanJ

    FanJ Guest

    Schuitema is a Dutch surname (family-name).
     
  5. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    It sure is great to have a resource like this! Us North-Americans might have spent hours trying to figure that out if we had no international place like this to check.

    Thanx Jan!
     
  6. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Hm and I'm in an almost all Dutch squad playing online games... Better post a link to this on our forum!!
     
  7. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Well, the mystery is solved.. FanJ told me to forward the email, and when I tried to, Avast32 caught it - WIN32-YahaE

    soooooo that's what it is!

    Don't understand why they weren't caught on the way in.
     
  8. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    all's well that ends well I suppose.
     
  9. FanJ

    FanJ Guest

    Hi Detox,

    I guess it's indeed a good suggestion to ask all your game buddies to check their systems with a good AV.

    Some questions/remarks/suggestions:

    Are you running AVG and Avast32 at the same time?
    Which one was running when you received the mail?

    Indeed there was no virus anymore when I received it; obviously Avast32 caught the virus when you forwarded the mail:

    X-Antivirus: Avast32 (VPS 8/22/02), Outbound message
    X-Antivirus-Status: Clean
    Attachment: \SCHUITEMA.EML\SCHUITEMA.MPG.BAT   Virus: Win32:Yaha-E [Wrm]   Deleted

    Have you set up your system in such a way that it shows all extensions?

    I suggest that you completely remove that email from your system, and that you do a system-scan with the Panda Quick Remover pqremove.com (see the free-tools and download page at the Wilders-site), and that you also do a scan with that free cleaning tool from Kaspersky.
    See also for example this thread:
    http://www.wilderssecurity.com/showthread.php?t=2755
    Maybe also do a scan with some of the free on-line scanners.

    Maybe it's also time to look for a good AV (I know, the good ones are not free)....

    Cheers, Jan.
     
  10. FanJ

    FanJ Guest

    See also this thread:
    http://www.wilderssecurity.com/showthread.php?t=1948

    The worm will try to disable several security app's.
     
  11. Dirkje

    Dirkje Guest

    I had this Schuitema.eml file also in my emailbox.
    Wanted 2 open the file my VS went off like crazy.
    The addres where i had it from was another then posted here. Might be strange though. I added the emailadress into MSN and had a talk with that guy. He didnt know a thing.

    The message was saying that the guy wanted a "stage"period for school at the company Schuitema.

    Greetz
    Dirkje
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You also might like to zip the thing and store it in your "test zoo". If you don't have such you might like to keep a diskette fur such things or a special folder on your system where you copy --preferable zipped-- your suspicious files and nasties. I scan that folder at times for instance with TDS and see what nice references Gavin added to our TDS/radius or i go inside and rightclick scan some, and if i would not see the appearing name with for instance AVP in TDS i submit the thing (often it was there already with another name).
    Yaha / lentin is in the database since the first day, so clicking on that file before it was cleansed would have brought it up.
    That's also a reason to zip them, as it's not nice to submit your gems to the lab and either our own or the lab's cleaner has cleansed it all out. And they can't be activated so easy.

    Yaha was very "successfull" in the Netherlands since the first start, remember? And indeed from socalled "postmasters" etc etc. Schuitema i had not seem coming by, but goldfish and the whole zoo.

    What you would like to have online? A thing with unknown words or names or your games databases? :D
    A "schuit" is another word for "ship", most of time, so it's an old name from people who had to do with ships and the sea. But that's of no relevance here.
     
  13. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    FanJ - Yeah I am using Avast and AVG both at the same time; they wer eboth running. Avast is always first in line to catching something though. I would really like a good AV like NOD32 from what I've read in here, but I've been living on saved money without income for what's about to be 2 years now. Funds are running low and it's got to get my family through 2 more semesters of college before I go to work.

    I'm not really sure if my system shows all extensions or not :-/ I only saw "Schuitema.eml" in my email.

    I don't have a test zoo; I guess you ouse it to test proegrams for detection??
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yes, the test zoo is building up little by little from all the infected emails. I created a special place for it where i copy all i think is suspicious.
    Like yesterday: i looked in a newsgroup, via OE, so the moment i click a header the message comes in and yep! there had a joker put several postings with nasties, socalled innocent files, some zipped, some exe and who knows what more. If i smell a rat like in this case, i save them to that "zoo" space to test them from there. What is not zipped i zip if it is a nastie thing. I never believe at once such a file is innocent, always use several scanners. When in doubt, submit to the TDS lab for an answer or at the www.kaspersky.com site where we can test one file or several at a time in one bigger zip (till 1mb total). The ones from yesterday you would not even like to whisper their names i guess. Anyway, after i click the newsgroup's properties, delete all and put it back to origin so that folder is small and clean, after i comprimize it also, so it must be clean, clean all windows and browsers caches and all that.
    It's certainly worth to see if all is working properly.
    Can you imagine my disappointment, as there are over 300 nasties, of which various the same, and an online scan found only 23 in there? Not just only unzipped, so i feel not so really good with that online scanner.
    But it's the same with a folder in my OE where i store everything with attachments and what seems suspicious for some reason: when i have other software scanning that folder, only one infection is found, i move that or copy possible attachments to the zoo, scan again and only one new infection is found; very irritating, if there are 10 infections i want 10 alarms on that folder of course :)
    The only place outside my computer where my zoo goes is to the TDS lab if necessary or in doubt, as i wouldn't like to think of one of those nasties would spread itself in any way!
     
  15. controler

    controler Guest

    But Jooske ? A ship is a vessel used to carry things ;)
     
  16. FanJ

    FanJ Guest

    Hi Detox,

    My apologies ! I should have choosen my words more carefully.

    Best wishes, Jan.
     
  17. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    FanJ - No need to apologize - After all, you are right, I need a better AV ;-)

    Just can't afford it right now. You advice was perfectly sound and you ddi not word it in an offensive way!
     
Loading...
Thread Status:
Not open for further replies.