Flaky email that triggered RD (?)

Discussion in 'Ghost Security Suite (GSS)' started by spy1, Sep 13, 2005.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Got two emails this morning of the type that I'd have normally deleted out-of-hand since they had gibberish subject lines - along with some junk that just looked like "normal" spam - but strangely enough, RD triggered off two warnings as soon as I opened up Mailwasher (free version). I denied the changes, but I'm wondering if there was something malicious in the emails, so I d/l'ed them to OE. Details follow:

    From the "Details" tab (first flaky email):

    ith SMTP id <01LSYX7XXMW0ATKUU3@InfoAve.Net>; Tue,
    13 Sep 2005 04:34:55 -0400 (EDT)
    Received: from source ([61.146.209.67]) by exprod5mx148.postini.com
    ([64.18.4.10]) with SMTP; Tue, 13 Sep 2005 01:34:50 -0700 (PDT)
    Date: Tue, 13 Sep 2005 16:34:53 +0800
    From: =?UNKNOWN?B?cccccccccccccccccccccccccccc?= <rrafa.grzoyl@msa.hinet.net>
    Subject: =?UNKNOWN?B?p9qtzKv3pEYupXW95jYwpLggICAgIKZe9Vi69KTNU3B5MQ==?=
    To:
    Message-id: <01LSYX7Y1WESATKUU3@InfoAve.Net>
    MIME-version: 1.0
    Content-type: multipart/alternative; boundary="--=_6d4d8LML0eq"
    Original-recipient: rfc822;

    From the "Message Source" window (first flaky email):

    Return-path: <omevvnxlu.dialgpyfa@msa.hinet.net>
    Received: from psmtp.com ([64.18.0.180]) by InfoAve.Net (PMDF V6.2-X31 #30986)
    with SMTP id <01LSYX7XXMW0ATKUU3@InfoAve.Net>; Tue,
    13 Sep 2005 04:34:55 -0400 (EDT)
    Received: from source ([61.146.209.67]) by exprod5mx148.postini.com
    ([64.18.4.10]) with SMTP; Tue, 13 Sep 2005 01:34:50 -0700 (PDT)
    Date: Tue, 13 Sep 2005 16:34:53 +0800
    From: =?UNKNOWN?B?cccccccccccccccccccccccccccc?= <rrafa.grzoyl@msa.hinet.net>
    Subject: =?UNKNOWN?B?p9qtzKv3pEYupXW95jYwpLggICAgIKZe9Vi69KTNU3B5MQ==?=
    To:
    Message-id: <01LSYX7Y1WESATKUU3@InfoAve.Net>
    MIME-version: 1.0
    Content-type: multipart/alternative; boundary="--=_6d4d8LML0eq"
    Original-recipient: rfc822;spy1@comporium.net

    ----=_6d4d8LML0eq
    Content-Type: text/html;
    Content-Transfer-Encoding: quoted-printable

    Spy1
    <html>

    <head>
    <meta http-equiv=3D"Content-Language" content=3D"zh-tw">
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dbig5">
    <title>=B6W=A4=F4=B7=C7=A6=A8=A4H=AET=BC=D6=BA=F4</title>
    </head>

    <body>

    <p><b><font size=3D"7"><a href=3D"http://www.avvcddvd888866.com">=B6W=A4=F4=
    =B7=C7=A6=A8=A4H=AET=BC=D6=BA=F4</a></font></b></p>
    <p><b><font size=3D"7"><a href=3D"http://www.avvcddvd888866.com">=A7=DA=AD=
    =CC=AB=F7=A4F&nbsp;&nbsp;&nbsp;
    60&nbsp;&nbsp;&nbsp;&nbsp; </a></font></b></p>
    <p>=A1@</p>

    </body>

    </html>

    048161013B58F116

    ----=_6d4d8LML0eq--


    "Details" tab (2nd flaky email):

    Return-path: <utceff.nqv@msa.hinet.net>
    Received: from psmtp.com ([64.18.0.92]) by InfoAve.Net (PMDF V6.2-X31 #30986)
    with SMTP id <01LSZ21BKOMSANG5RW@InfoAve.Net>; Tue,
    13 Sep 2005 06:52:30 -0400 (EDT)
    Received: from source ([148.233.73.194]) by exprod5mx137.postini.com
    ([64.18.4.10]) with SMTP; Tue, 13 Sep 2005 03:52:12 -0700 (PDT)
    Date: Tue, 13 Sep 2005 18:52:21 +0800
    From: =?UNKNOWN?B?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG?= <hi.kwsuqo@msa.hinet.net>
    Subject: =?UNKNOWN?B?p9qtzKv3pEYupXW95jYwpLggICAgIKZe9Vi69KTNU3B5MQ==?=
    To: [email]spy1@comporium.net

    Message-id: <01LSZ21C0XI8ANG5RW@InfoAve.Net>
    MIME-version: 1.0
    Content-type: multipart/alternative; boundary="--=====278645874661829=_"
    Original-recipient: rfc822;


    "Message Source" (2nd flaky email):

    Return-path: <utceff.nqv@msa.hinet.net>
    Received: from psmtp.com ([64.18.0.92]) by InfoAve.Net (PMDF V6.2-X31 #30986)
    with SMTP id <01LSZ21BKOMSANG5RW@InfoAve.Net>; Tue,
    13 Sep 2005 06:52:30 -0400 (EDT)
    Received: from source ([148.233.73.194]) by exprod5mx137.postini.com
    ([64.18.4.10]) with SMTP; Tue, 13 Sep 2005 03:52:12 -0700 (PDT)
    Date: Tue, 13 Sep 2005 18:52:21 +0800
    From: =?UNKNOWN?B?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG?= <hi.kwsuqo@msa.hinet.net>
    Subject: =?UNKNOWN?B?p9qtzKv3pEYupXW95jYwpLggICAgIKZe9Vi69KTNU3B5MQ==?=
    To:
    Message-id: <01LSZ21C0XI8ANG5RW@InfoAve.Net>
    MIME-version: 1.0
    Content-type: multipart/alternative; boundary="--=====278645874661829=_"
    Original-recipient: rfc822;

    ----=====278645874661829=_
    Content-Type: text/html;
    Content-Transfer-Encoding: quoted-printable

    Spy1
    <html>

    <head>
    <meta http-equiv=3D"Content-Language" content=3D"zh-tw">
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dbig5">
    <title>=A6^=F5X=BA=F4=A4=CD&nbsp;&nbsp;&nbsp; =A7=DA=AD=CC=AB=F7=A4F&nbsp;=
    &nbsp;&nbsp; =A5u=BD=E660=A4=B8&nbsp;&nbsp;&nbsp;
    =C1=D9=A6=B3=B0e=A4=F9=B3=E1</title>
    </head>

    <body>

    <p><a href=3D"http://www.avvcddvd888866.com">=A6^=F5X=BA=F4=A4=CD&nbsp;&nb=
    sp;&nbsp; =A7=DA=AD=CC=AB=F7=A4F&nbsp;&nbsp;&nbsp;
    =A5u=BD=E660=A4=B8&nbsp;&nbsp;&nbsp; =C1=D9=A6=B3=B0e=A4=F9=B3=E1 </a></p>=


    </body>

    </html>

    0D913CD7950CD7A2

    ----=====278645874661829=_--

    The warnings I got from RD were what's in the screenshot.

    So my question is - did RD stop something from happening that was attempting to execute while I was simply [I]pre-viewing[/I] my email in MailWasher - or were those alerts totally un-related?

    I have the emails still if anyone wants me to forward them to them for examination - or to check and see if RD triggers on them, too when they receive them. Pete

    *Going to the gym right now, BBL.
     

    Attached Files:

    Last edited by a moderator: Sep 13, 2005
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Pete, I edited out your email addresses from your post - spam bot prevention :)

    Cheers. Pilli
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thanks, Pilli.

    BTW, when all this happened, MailWasher was the only thing open in the Taskbar (I had just started the computer and clicked on the MW icon on the Desktop when I got the alerts as the emails d/l'ed into MW). Running in SYSTRAY were my usual programs (left-to-right: MWSnap, MailWasher, RegDefend, MRU-Blaster Scheduler, APC PowerChute Personal Edition, Eraser Scheduler, TracksEraserPro, ProcessGuard, Volume controls, my perennial "safely remove hardware" icon, and NOD32).

    Odd, but very possibly co-incidental. Pete :eek:
     
  4. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    603
    Location:
    Australia
    Pete,
    Do you have the Windows Update service running and configured to automatically download and install by any chance ?

    If you do was the full program "svchost.exe -k netsvcs" ?
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Yup, that was it.

    So, the update service was attempting to check for updates when I opened MailWasher?

    But Automatic Updates is set to check at 3:00 a.m.? (The computer wasn't on then, though - perhaps it was checking for updates when I did the start-up this morning? ). Pete
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Pete, As far as I kow when you set up update for a certain time and the computer is off at that time, on boot up the OS sees the missed schedule and tries agsain. This may be a reason for this behaviour.

    Pilli :)
     
  7. sleepy pete

    sleepy pete Guest

    That's probably what it was then. Imagine - a real co-incidence! Good night all. Pete
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.