Flaky email that triggered RD (?)

Discussion in 'Ghost Security Suite (GSS)' started by spy1, Sep 13, 2005.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Got two emails this morning of the type that I'd have normally deleted out-of-hand since they had gibberish subject lines - along with some junk that just looked like "normal" spam - but strangely enough, RD triggered off two warnings as soon as I opened up Mailwasher (free version). I denied the changes, but I'm wondering if there was something malicious in the emails, so I d/l'ed them to OE. Details follow:

    From the "Details" tab (first flaky email):

    ith SMTP id <01LSYX7XXMW0ATKUU3@InfoAve.Net>; Tue,
    13 Sep 2005 04:34:55 -0400 (EDT)
    Received: from source ([61.146.209.67]) by exprod5mx148.postini.com
    ([64.18.4.10]) with SMTP; Tue, 13 Sep 2005 01:34:50 -0700 (PDT)
    Date: Tue, 13 Sep 2005 16:34:53 +0800
    From: =?UNKNOWN?B?cccccccccccccccccccccccccccc?= <rrafa.grzoyl@msa.hinet.net>
    Subject: =?UNKNOWN?B?p9qtzKv3pEYupXW95jYwpLggICAgIKZe9Vi69KTNU3B5MQ==?=
    To:
    Message-id: <01LSYX7Y1WESATKUU3@InfoAve.Net>
    MIME-version: 1.0
    Content-type: multipart/alternative; boundary="--=_6d4d8LML0eq"
    Original-recipient: rfc822;

    From the "Message Source" window (first flaky email):

    Return-path: <omevvnxlu.dialgpyfa@msa.hinet.net>
    Received: from psmtp.com ([64.18.0.180]) by InfoAve.Net (PMDF V6.2-X31 #30986)
    with SMTP id <01LSYX7XXMW0ATKUU3@InfoAve.Net>; Tue,
    13 Sep 2005 04:34:55 -0400 (EDT)
    Received: from source ([61.146.209.67]) by exprod5mx148.postini.com
    ([64.18.4.10]) with SMTP; Tue, 13 Sep 2005 01:34:50 -0700 (PDT)
    Date: Tue, 13 Sep 2005 16:34:53 +0800
    From: =?UNKNOWN?B?cccccccccccccccccccccccccccc?= <rrafa.grzoyl@msa.hinet.net>
    Subject: =?UNKNOWN?B?p9qtzKv3pEYupXW95jYwpLggICAgIKZe9Vi69KTNU3B5MQ==?=
    To:
    Message-id: <01LSYX7Y1WESATKUU3@InfoAve.Net>
    MIME-version: 1.0
    Content-type: multipart/alternative; boundary="--=_6d4d8LML0eq"
    Original-recipient: rfc822;spy1@comporium.net

    ----=_6d4d8LML0eq
    Content-Type: text/html;
    Content-Transfer-Encoding: quoted-printable

    Spy1
    <html>

    <head>
    <meta http-equiv=3D"Content-Language" content=3D"zh-tw">
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dbig5">
    <title>=B6W=A4=F4=B7=C7=A6=A8=A4H=AET=BC=D6=BA=F4</title>
    </head>

    <body>

    <p><b><font size=3D"7"><a href=3D"http://www.avvcddvd888866.com">=B6W=A4=F4=
    =B7=C7=A6=A8=A4H=AET=BC=D6=BA=F4</a></font></b></p>
    <p><b><font size=3D"7"><a href=3D"http://www.avvcddvd888866.com">=A7=DA=AD=
    =CC=AB=F7=A4F&nbsp;&nbsp;&nbsp;
    60&nbsp;&nbsp;&nbsp;&nbsp; </a></font></b></p>
    <p>=A1@</p>

    </body>

    </html>

    048161013B58F116

    ----=_6d4d8LML0eq--


    "Details" tab (2nd flaky email):

    Return-path: <utceff.nqv@msa.hinet.net>
    Received: from psmtp.com ([64.18.0.92]) by InfoAve.Net (PMDF V6.2-X31 #30986)
    with SMTP id <01LSZ21BKOMSANG5RW@InfoAve.Net>; Tue,
    13 Sep 2005 06:52:30 -0400 (EDT)
    Received: from source ([148.233.73.194]) by exprod5mx137.postini.com
    ([64.18.4.10]) with SMTP; Tue, 13 Sep 2005 03:52:12 -0700 (PDT)
    Date: Tue, 13 Sep 2005 18:52:21 +0800
    From: =?UNKNOWN?B?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG?= <hi.kwsuqo@msa.hinet.net>
    Subject: =?UNKNOWN?B?p9qtzKv3pEYupXW95jYwpLggICAgIKZe9Vi69KTNU3B5MQ==?=
    To: [email]spy1@comporium.net

    Message-id: <01LSZ21C0XI8ANG5RW@InfoAve.Net>
    MIME-version: 1.0
    Content-type: multipart/alternative; boundary="--=====278645874661829=_"
    Original-recipient: rfc822;


    "Message Source" (2nd flaky email):

    Return-path: <utceff.nqv@msa.hinet.net>
    Received: from psmtp.com ([64.18.0.92]) by InfoAve.Net (PMDF V6.2-X31 #30986)
    with SMTP id <01LSZ21BKOMSANG5RW@InfoAve.Net>; Tue,
    13 Sep 2005 06:52:30 -0400 (EDT)
    Received: from source ([148.233.73.194]) by exprod5mx137.postini.com
    ([64.18.4.10]) with SMTP; Tue, 13 Sep 2005 03:52:12 -0700 (PDT)
    Date: Tue, 13 Sep 2005 18:52:21 +0800
    From: =?UNKNOWN?B?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG?= <hi.kwsuqo@msa.hinet.net>
    Subject: =?UNKNOWN?B?p9qtzKv3pEYupXW95jYwpLggICAgIKZe9Vi69KTNU3B5MQ==?=
    To:
    Message-id: <01LSZ21C0XI8ANG5RW@InfoAve.Net>
    MIME-version: 1.0
    Content-type: multipart/alternative; boundary="--=====278645874661829=_"
    Original-recipient: rfc822;

    ----=====278645874661829=_
    Content-Type: text/html;
    Content-Transfer-Encoding: quoted-printable

    Spy1
    <html>

    <head>
    <meta http-equiv=3D"Content-Language" content=3D"zh-tw">
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dbig5">
    <title>=A6^=F5X=BA=F4=A4=CD&nbsp;&nbsp;&nbsp; =A7=DA=AD=CC=AB=F7=A4F&nbsp;=
    &nbsp;&nbsp; =A5u=BD=E660=A4=B8&nbsp;&nbsp;&nbsp;
    =C1=D9=A6=B3=B0e=A4=F9=B3=E1</title>
    </head>

    <body>

    <p><a href=3D"http://www.avvcddvd888866.com">=A6^=F5X=BA=F4=A4=CD&nbsp;&nb=
    sp;&nbsp; =A7=DA=AD=CC=AB=F7=A4F&nbsp;&nbsp;&nbsp;
    =A5u=BD=E660=A4=B8&nbsp;&nbsp;&nbsp; =C1=D9=A6=B3=B0e=A4=F9=B3=E1 </a></p>=


    </body>

    </html>

    0D913CD7950CD7A2

    ----=====278645874661829=_--

    The warnings I got from RD were what's in the screenshot.

    So my question is - did RD stop something from happening that was attempting to execute while I was simply [I]pre-viewing[/I] my email in MailWasher - or were those alerts totally un-related?

    I have the emails still if anyone wants me to forward them to them for examination - or to check and see if RD triggers on them, too when they receive them. Pete

    *Going to the gym right now, BBL.
     

    Attached Files:

    Last edited by a moderator: Sep 13, 2005
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Pete, I edited out your email addresses from your post - spam bot prevention :)

    Cheers. Pilli
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thanks, Pilli.

    BTW, when all this happened, MailWasher was the only thing open in the Taskbar (I had just started the computer and clicked on the MW icon on the Desktop when I got the alerts as the emails d/l'ed into MW). Running in SYSTRAY were my usual programs (left-to-right: MWSnap, MailWasher, RegDefend, MRU-Blaster Scheduler, APC PowerChute Personal Edition, Eraser Scheduler, TracksEraserPro, ProcessGuard, Volume controls, my perennial "safely remove hardware" icon, and NOD32).

    Odd, but very possibly co-incidental. Pete :eek:
     
  4. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Pete,
    Do you have the Windows Update service running and configured to automatically download and install by any chance ?

    If you do was the full program "svchost.exe -k netsvcs" ?
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Yup, that was it.

    So, the update service was attempting to check for updates when I opened MailWasher?

    But Automatic Updates is set to check at 3:00 a.m.? (The computer wasn't on then, though - perhaps it was checking for updates when I did the start-up this morning? ). Pete
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Pete, As far as I kow when you set up update for a certain time and the computer is off at that time, on boot up the OS sees the missed schedule and tries agsain. This may be a reason for this behaviour.

    Pilli :)
     
  7. sleepy pete

    sleepy pete Guest

    That's probably what it was then. Imagine - a real co-incidence! Good night all. Pete
     
Thread Status:
Not open for further replies.