What IS this?

Discussion in 'malware problems & news' started by Checkout, May 23, 2002.

Thread Status:
Not open for further replies.
  1. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Every now and then, I receive nonsense like the stuff below (just a snip of it).  I didn't ask for it, I don't know where it's from, and I've no idea what it is.

    Can someone help, please?  It's 134KB in total (it comes inline, not an attachment) and I'm certainly not going to decode it!

    MTIA

    Return-Path: <steve.xxxxxxx1@xxxworld.com>
    Delivered-To: abuse@my.com
    Received: (qmail 58251 messnum 1045264 invoked from network[??.253.1??.45/mta05-svc.xxxworld.com]); 23 May 2002 07:57:43 -0000
    Received: from mta05-svc.xxxworld.com (??.253.1??.45)
     by relay06.my.com (qp 58251) with SMTP; 23 May 2002 07:57:43 -0000
    Received: from Esinbv ([o_O.104.196.20]) by mta05-svc.ntlworld.com
             (InterMail vM.4.01.03.27 201-229-121-127-20010626) with SMTP
             id <20020523075648.XUEN2755.mta05-svc.xxxworld.com@Esinbv>
             for <abuse@my.com>; Thu, 23 May 2002 08:56:48 +0100
    From: remove_usa <remove_usa@excite.com>
    To: abuse@my.com
    Subject: A  WinXP patch
    MIME-Version: 1.0
    Status:  U
    X-UIDL: 1022140664.58289.relay06.xxxxxx.xxx
    Content-Type: multipart/alternative;
         boundary=Zaex7738d69M2ZyY8d7lma3wGcx2EqqKddFH
    Message-Id: <20020523075648.XUEN2755.mta05-svc.xxxworld.com@Esinbv>
    Date: Thu, 23 May 2002 08:57:42 +0100

    --Zaex7738d69M2ZyY8d7lma3wGcx2EqqKddFH
    Content-Type: text/html;
    Content-Transfer-Encoding: quoted-printable

    <HTML><HEAD></HEAD><BODY>

    <FONT>Hello,This is a  WinXP patch

    I wish you would like it.</FONT></BODY></HTML>

    --Zaex7738d69M2ZyY8d7lma3wGcx2EqqKddFH
    Content-Type: application/octet-stream;
         name=HREF.zl9
    Content-Transfer-Encoding: base64
    Content-ID: <Y16562Qc>

    TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g
    RE9TIG1vZGUuDQ0KJAAAAAAAAAAYmX3gXPgTs1z4E7Nc+BOzJ+Qfs1j4E7Pf5B2zT/gTs7Tn
    GbNm+BOzPucAs1X4E7Nc+BKzJfgTs7TnGLNO+BOz5P4Vs134E7NSaWNoXPgTswAAAAAAAAAA

    And so on...
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Checkout, looks like a Klez.H infection, see the text in it
    <FONT>Hello,This is a  WinXP patch

    I wish you would like it.</FONT></BODY></HTML>
    If you got it in TXT format in your email you are lucky. I get them daily and most of time the moment the email comes in the preview the attachment shows up.

    You see it has a very strange header, they seem to collect email addresses and names from everywhere, i wondered if they copy all to a very large database and grab ad randum names as senders, have several which i never heard of or of senders whose abuse departments i informed about their infected users.
     
  3. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Ah...thanks, Jooske!  I figured it was malware of some description but I didn't know exactly what!

    I get them in Outlook Express but they're always encoded rather than executable.  Strange...
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Checkout,

    Klez.e actually in this case:

    www.viruslist.com/eng/viruslist.html?id=4292

    Nicely explained as well  ;)

    Moving this thread to the appropriate forum; hope you don't mind!

    regards.

    paul
     
  5. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    This isn't it?  Oh well!  Sure, be my guest.

    (Hmm...so how come AVG and ZAP mailsafe didn't spot this nasty?)
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Are you sure about ZA Mailsafe? :

    Long time since I used ZAP, but if my memory serves me well, ZA renames infected files into such an extension.

    Could you check?

    regards.

    paul
     
  7. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Ah!  If that's what's happened, the I lurv ZAP even more than before!  I might take it out to dinner tonight, ply it with a good wine, and later on...well who knows.

    Thanks for the pointer, Paul - I've shut my laptop down for now (going home soon) but I'll check the logs this evening, and report back.

    Cheers, m'dear!   :rolleyes:
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    The mailsafe of ZAPro changes the extension into something not-executable, derpending on the original extension; if there is an attachment visible, you'll see most of time two files, one with the frame exploit, the other the infection itself; i ever got a screenshot of somebody of his preview window and an html file in that; the URL on that seems to be one to update/upgrade the infection on the victims system, so i was really fast with leaving from that one as it started the download immediately and without asking, even though it should have been in the restricted zone, but.....
    Standard OE after upgrading to 6.0 with the many security patches should move all the emails to be viewed from the restricted zone. So these infections should not be able to run in any ways.
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Grin...

    regards.

    paul
     
  10. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    All I can say is that it's a good job it was a virus and not a trojan, otherwise we'd have another boxing match tonight....   :D
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Klez is an I-worm to my knowledge
    But you did not run the thing anyway, and with WormGuard around as well it sh/would be stopped by that too. The z19 was done by Za/Zapro mailsafe to prevent running yes.

    The URL i mentioned was something.com and the com was not changed by the persons mailsafe, but of course it could have been an executable file_ name.com!
    Seeing several a day by now have them in several colors and sizes/ extensions, but i'm not even looking into their sources. They can have the exploit on an html file, which mailsafe doesnot change, but which i advice not to click on as it will start a download etc.

    For me it doesn't matter which Klez A-Z it is, they're just all nasties :) and not worth to fight for :p
     
Loading...
Thread Status:
Not open for further replies.