Mysterious emails!

Discussion in 'malware problems & news' started by rjbsec, Feb 2, 2007.

Thread Status:
Not open for further replies.
  1. rjbsec

    rjbsec Registered Member

    Joined:
    May 15, 2005
    Posts:
    132
    I have been using KIS 6.0 for sometime now and my email client is MS Outlook 2003, recently upgraded to MS Outlook 2007 with Office 2007 - KIS is set to scan all emails and mailboxes.
    In addition to Kaspersky Iinternet Ssecurity 6.0 I have the following on my PC:-
    Spyware Blaster
    Spybot Search
    Wormguard

    Over a period of some weeks I have noticed that Outlook reports sending emails that I know nothing about, usually 4 at a time in quick succession. I have no idea what these emails are I just see "sending 1 of 4" and so on ... of course I am concerned.

    I have done full PC scans with KIS 6.0 and also with MS Live One Care and the MS Malicious Software Removal Tool but nothing has been found.
    Does anyone have any idea about this seemingly suspicious activity and more importantly what I can do about it?
    Is there a facility to force seeing an email before it is sent?
     
  2. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    Post this in Kaspersky's forum along with a HijackThis log... HijackThis logs are not aloud on Wilders.

    Edit: Kaspersky forum's gone a little titsup the last day or two... read this Support page for more information of how to check if its a virus or not: http://support.kaspersky.com/viruses/computers?qid=193238610
    Also, make sure you send a description of your problem... (what you posted in the above post)
     
    Last edited: Feb 8, 2007
  3. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Strange.
    Seams you have a nasty worm, but if so Kapersky should be able to find it.

    P.S. Do you have 4 e-mail acounts in Outlook?
     
    Last edited: Feb 8, 2007
  4. itsmej

    itsmej Registered Member

    Joined:
    Feb 10, 2007
    Posts:
    109
    Location:
    Australia
    More incline to say you have a zombee installed that using your pc (and Email)
    if you cant find it simple thing may be Change your mial ID (new one) as some one has yours. and is using it to scamm ather pcs , (trojan) also check ,check to see if Pop3 port is open! 110-Make shure its CLOSED at minn Better if stealthed-ather thing get hold of a mial filter program to allow or block ,lett me explane
    no one can send ,use,my emial ,unless i send one ,and the recever has to use that sent emial back ..or any thing els will give a pearson the no address (non found) non exsistent---and bounce back at the sender!
    I amd inclined to say you Got a trojan on your system! That every time you log in its Set of to Do what ever its made to ..
    last resort Reformat start over ...
    Good luck and i hope you find whats Doing it...I know thats the easy anser
    and not meant to BE .I have 5 pcs that are on the nett when i use 1 of them (nott netted But stand alone) and 3 have a system restore build into them (motherbourd bios) Not the OS one ..there Stored is my running installed programs.if for what ever reasion I think something has gotten in the hard drive that should not be there ,then at boot time i hit F9 and restore ..
    Very handy ! i update this every once in a while ,save reinstalling any thing new ..So i did not mean it as a easy cop out anser...
    itsmej
     
    Last edited: Feb 11, 2007
  5. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi rjbsec

    It sounds like you have a hidden(rootkit) bot running on your PC,if the timeline you suggest involved it is quite possible that you may have wincom32.sys rootkit loaded as it was doing the rounds recently(25/1/07+).

    When i have loaded this rootkit malware onto my 'puter KAV 6 has been *blind* to it on maximum sensitivity scan:'( ,
    I would be very surprised if any of the other softwares you have named would be able to *see* this trojan either once it is loaded:eek:


    Just to rule in/out this scenario download+update defs of the free version of the following software>>>
    http://superantispyware.com/

    Next run a full system scan from safe mode to see if it turns up this/any hidden bots.If it finds any threats can you copy& paste the scan log generated for review.

    HTH:)
     
  6. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    as the saying goes prevention is always better than cure:D
    didnt pdm flag any odd behavior recently?
    if you have a rootkit it will still be able to be seen by kaspersky due to the selfprotection as shown in a presentation by kaspersky vs rootkits at there website.
    https://www.wilderssecurity.com/showthread.php?t=157345
    read the pdf and then do the specify an object to scan.
    see if the folders match up to the ones in windows explorer if they dont and there is a folder with odd files shown in kaspersky then you have got a rootkit
    lodore
     
  7. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi Lodore

    Despite what is written in PDF which lets face it is purely based around HacDef Rootkit detection in reality KAV detection of a wider range of RK malwares is *weak* at best.

    Here are the most common RK's i am picking up in the wild at the moment and results of KAV scans with current defs loaded.

    Rustock A (lzx32.sys) Not detected:'(
    Rustock B (lzx32.sys,huy32.sys) Not detected:'(
    Wincom32.sys Not detected:'(
    Haxdor(1) (Pasksa.dll +p81eskse.sys) Not detected:'(
    Haxdor(2) (Protector.exe+ntio256.sys) Not detected:'(

    The truth is Kaspersky is a great AV and is getting stronger against Bots all the time but it is not a good ARK tool against the new stuff once it is loaded.Maybe in a future version they will improve this capability;)


    BTW your absolutely correct about the best form of ARK is not to let them install in the first pace:thumb:
     
  8. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    fcukdak have you sent the samples to kaspersky for analisys?
    since you have tested them against kaspersky you might as well send them to kaspersky so they can detect them
    lodore
     
  9. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Yes,if you follow the malware listserve info trail you will find that Kaspersky get all my samples that are uploaded to malware listserve and IRC they will get copies of all samples uploaded to VirusTotal & Jotti services:thumb:

    We need to break down these malware files into 2 seperate types,you have the droppers(installers) which if they are known quantities any AV/AT/ASW worth their salt running in realtime will block them from delivering their payload if they *know* that file.

    The trouble is once a dropper has gone past realtime defenders and dropped its payload(loaded the rootkit/trojan) which happens when the *dropper* is not known by the defending softwares databases.
    At this point it boils down to whether the scanning software has the capabilities to detect and action a removal against the rootkit/trojan.

    At this point those trojans/rootkit malwares listed in my previous post are not detectable by Kasp AV6.
    Net result it is *blind* to them once they are loaded and filtering kernel traffic to hide their existance/activity on a computer.

    Please do not take this as an attack against Kaspersky afterall i have their AV installed on my computer for on-demand use,it is a very good AV software but like most AV softwares they are *weak* if not totally ineffective against loaded rootkits/trojans.

    HTH:)
     
  10. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    Agree with fcukdat... Kaspersky only detects rootkits via PDM (when executing the rootkit)... once the rootkit is executed and embedded, Kaspersky wont detect it anymore... most AVs are bad at this, rather use a rootkit scanner rather than scanning using antivirus once you have a rootkit executed.
     
  11. Woody777

    Woody777 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    484
    I don't use KIS but some of these people do. I am wondering if you could if you could adjust the firewall so you could control what is sent from your EMail. Perhaps you could set the permissions to ASK in your firewall Do you need to have server permissions set to get EMail working properly ? Also you could try some trojan scanners as has been suggested. SuperAntiSpyware works well & might find a trojan or even a root kit. A2 free is also a very good antitrojan. I suspect if you scan with A2 & SAS & find nothing you don't have either root kits or trojans. I have seen the same phenomenon with my wifes Email She uses ZoneAlarm. I could find nothing wrong no malware of any kind . I really doubt that if you are using KIS ( one of the best security suites out there ) there is anything wrong. You also could try the Kapersky forums perhaps they could explain this.
     
  12. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    so i guess nod32 antistealth technology cant catch it either?
    lodore
     
  13. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Correct with reference to early Rustock B build but i would guess this applies to all B builds once loaded
    Nod2.7 vs loaded rustock B Bypassed:'(
    http://forum.sysinternals.com/forum_posts.asp?TID=9731&PN=1&TPN=1

    *don't try it at home unless you are 100% sure what you are doing;)
     
  14. dah145

    dah145 Registered Member

    Joined:
    Jul 3, 2006
    Posts:
    262
    Location:
    n/a
    Once the RK is loaded, dedicated RK detectors would be the best. KIS/KAV PDM can avoid a RK from loading its service but you would get an alert just on execution. :isay:

    And also, are you using the latest version of KIS? (MP2= 6.0.2.614) Because as far as I know it has Mass-Mailing detection capabilities.

    See:

    http://forum.kaspersky.com/uploads/post-28040-1170816752.jpg
     
  15. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hmm time to update:thumb:

    I will test vs my collection of creatures in my malware zoo tomorrow maybe:)
     
  16. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Don't like this zombie behavior you describe, AT all!

    If it were me apart from panic what would I do?

    If I have 2 PC's with internet I would shut the connection off on the zombie PC, like NOW! You have no idea where these email are going and what they are sending about you!

    Once that is done, I would use 2nd PC to download as many ASW and AV's Cleanup tools as possible and copy the installers and executables on to the zombie PC via cd or dvd. Get blbeta.exe and ice sword. + BitDefender V8 and AntiVir.

    Then the following on the zombie PC. (let's call it Z_PC)

    1) backup to dvd or external drive all critical user data
    2) run all existing AV's and ASW's again.Close your existing AV.
    3) run CCleaner, and any registry cleanup tools you have.
    4) install and run blbeta
    5) install and run ice sword
    6) install and run BitDefender V8
    7) close BitDefender (2 AV's are bad news)
    :cool: install run AntiVir

    Restart your PC in Safe Mode do 2,3,4,5,6,7,8 again

    Reconnect to internet

    1) turn off your email, update windows install any security or criticals
    2) update all the security tools, disconnect
    3) run them all again
    4) restart run all again in safe mode
    5) use Task Manager to see if any weird programs running (google name to check)

    Test to see if email problem gone

    If all fails, reinstall Windows and reformat PC in process, reinstall all valid applications get a solid I/O firewall. Use different email client like Thunderbird

    Good luck!
     
  17. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Altough it seems that NOD 32 2.7 is bypassed by a loaded Rustock, does NOD 32 reports discrepancies between number of files scanned with and without AntiStealth technology?
     
Thread Status:
Not open for further replies.