Flaky email that triggered RD (?)

Got two emails this morning of the type that I'd have normally deleted out-of-hand since they had gibberish subject lines - along with some junk that just looked like "normal" spam - but strangely enough, RD triggered off two warnings as soon as I opened up Mailwasher (free version). I denied the changes, but I'm wondering if there was something malicious in the emails, so I d/l'ed them to OE. Details follow:

From the "Details" tab (first flaky email):

ith SMTP id <01LSYX7XXMW0ATKUU3@InfoAve.Net>; Tue,
13 Sep 2005 04:34:55 -0400 (EDT)
Received: from source ([61.146.209.67]) by exprod5mx148.postini.com
([64.18.4.10]) with SMTP; Tue, 13 Sep 2005 01:34:50 -0700 (PDT)
Date: Tue, 13 Sep 2005 16:34:53 +0800
From: =?UNKNOWN?B?cccccccccccccccccccccccccccc?= <rrafa.grzoyl@msa.hinet.net>
Subject: =?UNKNOWN?B?p9qtzKv3pEYupXW95jYwpLggICAgIKZe9Vi69KTNU3B5MQ==?=
To:
Message-id: <01LSYX7Y1WESATKUU3@InfoAve.Net>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="--=_6d4d8LML0eq"
Original-recipient: rfc822;

From the "Message Source" window (first flaky email):

Return-path: <omevvnxlu.dialgpyfa@msa.hinet.net>
Received: from psmtp.com ([64.18.0.180]) by InfoAve.Net (PMDF V6.2-X31 #30986)
with SMTP id <01LSYX7XXMW0ATKUU3@InfoAve.Net>; Tue,
13 Sep 2005 04:34:55 -0400 (EDT)
Received: from source ([61.146.209.67]) by exprod5mx148.postini.com
([64.18.4.10]) with SMTP; Tue, 13 Sep 2005 01:34:50 -0700 (PDT)
Date: Tue, 13 Sep 2005 16:34:53 +0800
From: =?UNKNOWN?B?cccccccccccccccccccccccccccc?= <rrafa.grzoyl@msa.hinet.net>
Subject: =?UNKNOWN?B?p9qtzKv3pEYupXW95jYwpLggICAgIKZe9Vi69KTNU3B5MQ==?=
To:
Message-id: <01LSYX7Y1WESATKUU3@InfoAve.Net>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="--=_6d4d8LML0eq"
Original-recipient: rfc822;spy1@comporium.net

----=_6d4d8LML0eq
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

Spy1
<html>

<head>
<meta http-equiv=3D"Content-Language" content=3D"zh-tw">
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dbig5">
<title>=B6W=A4=F4=B7=C7=A6=A8=A4H=AET=BC=D6=BA=F4</title>
</head>

<body>

<p><b><font size=3D"7"><a href=3D"http://www.avvcddvd888866.com">=B6W=A4=F4=
=B7=C7=A6=A8=A4H=AET=BC=D6=BA=F4</a></font></b></p>
<p><b><font size=3D"7"><a href=3D"http://www.avvcddvd888866.com">=A7=DA=AD=
=CC=AB=F7=A4F&nbsp;&nbsp;&nbsp;
60&nbsp;&nbsp;&nbsp;&nbsp; </a></font></b></p>
<p>=A1@</p>

</body>

</html>

048161013B58F116

----=_6d4d8LML0eq--


"Details" tab (2nd flaky email):

Return-path: <utceff.nqv@msa.hinet.net>
Received: from psmtp.com ([64.18.0.92]) by InfoAve.Net (PMDF V6.2-X31 #30986)
with SMTP id <01LSZ21BKOMSANG5RW@InfoAve.Net>; Tue,
13 Sep 2005 06:52:30 -0400 (EDT)
Received: from source ([148.233.73.194]) by exprod5mx137.postini.com
([64.18.4.10]) with SMTP; Tue, 13 Sep 2005 03:52:12 -0700 (PDT)
Date: Tue, 13 Sep 2005 18:52:21 +0800
From: =?UNKNOWN?B?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG?= <hi.kwsuqo@msa.hinet.net>
Subject: =?UNKNOWN?B?p9qtzKv3pEYupXW95jYwpLggICAgIKZe9Vi69KTNU3B5MQ==?=
To: [email]spy1@comporium.net
Message-id: <01LSZ21C0XI8ANG5RW@InfoAve.Net>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="--=====278645874661829=_"
Original-recipient: rfc822;


"Message Source" (2nd flaky email):

Return-path: <utceff.nqv@msa.hinet.net>
Received: from psmtp.com ([64.18.0.92]) by InfoAve.Net (PMDF V6.2-X31 #30986)
with SMTP id <01LSZ21BKOMSANG5RW@InfoAve.Net>; Tue,
13 Sep 2005 06:52:30 -0400 (EDT)
Received: from source ([148.233.73.194]) by exprod5mx137.postini.com
([64.18.4.10]) with SMTP; Tue, 13 Sep 2005 03:52:12 -0700 (PDT)
Date: Tue, 13 Sep 2005 18:52:21 +0800
From: =?UNKNOWN?B?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG?= <hi.kwsuqo@msa.hinet.net>
Subject: =?UNKNOWN?B?p9qtzKv3pEYupXW95jYwpLggICAgIKZe9Vi69KTNU3B5MQ==?=
To:
Message-id: <01LSZ21C0XI8ANG5RW@InfoAve.Net>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="--=====278645874661829=_"
Original-recipient: rfc822;

----=====278645874661829=_
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

Spy1
<html>

<head>
<meta http-equiv=3D"Content-Language" content=3D"zh-tw">
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dbig5">
<title>=A6^=F5X=BA=F4=A4=CD&nbsp;&nbsp;&nbsp; =A7=DA=AD=CC=AB=F7=A4F&nbsp;=
&nbsp;&nbsp; =A5u=BD=E660=A4=B8&nbsp;&nbsp;&nbsp;
=C1=D9=A6=B3=B0e=A4=F9=B3=E1</title>
</head>

<body>

<p><a href=3D"http://www.avvcddvd888866.com">=A6^=F5X=BA=F4=A4=CD&nbsp;&nb=
sp;&nbsp; =A7=DA=AD=CC=AB=F7=A4F&nbsp;&nbsp;&nbsp;
=A5u=BD=E660=A4=B8&nbsp;&nbsp;&nbsp; =C1=D9=A6=B3=B0e=A4=F9=B3=E1 </a></p>=


</body>

</html>

0D913CD7950CD7A2

----=====278645874661829=_--

The warnings I got from RD were what's in the screenshot.

So my question is - did RD stop something from happening that was attempting to execute while I was simply [I]pre-viewing[/I] my email in MailWasher - or were those alerts totally un-related?

I have the emails still if anyone wants me to forward them to them for examination - or to check and see if RD triggers on them, too when they receive them. Pete

*Going to the gym right now, BBL.

 

Hi Pete, I edited out your email addresses from your post - spam bot prevention

Cheers. Pilli

 

Thanks, Pilli.

BTW, when all this happened, MailWasher was the only thing open in the Taskbar (I had just started the computer and clicked on the MW icon on the Desktop when I got the alerts as the emails d/l'ed into MW). Running in SYSTRAY were my usual programs (left-to-right: MWSnap, MailWasher, RegDefend, MRU-Blaster Scheduler, APC PowerChute Personal Edition, Eraser Scheduler, TracksEraserPro, ProcessGuard, Volume controls, my perennial "safely remove hardware" icon, and NOD32).

Odd, but very possibly co-incidental. Pete

 

Pete,
Do you have the Windows Update service running and configured to automatically download and install by any chance ?

If you do was the full program "svchost.exe -k netsvcs" ?

 

Yup, that was it.

So, the update service was attempting to check for updates when I opened MailWasher?

But Automatic Updates is set to check at 3:00 a.m.? (The computer wasn't on then, though - perhaps it was checking for updates when I did the start-up this morning? ). Pete

 

Hi Pete, As far as I kow when you set up update for a certain time and the computer is off at that time, on boot up the OS sees the missed schedule and tries agsain. This may be a reason for this behaviour.

Pilli

 

That's probably what it was then. Imagine - a real co-incidence! Good night all. Pete