What IS this?

Every now and then, I receive nonsense like the stuff below (just a snip of it).  I didn't ask for it, I don't know where it's from, and I've no idea what it is.

Can someone help, please?  It's 134KB in total (it comes inline, not an attachment) and I'm certainly not going to decode it!

MTIA

Return-Path: <steve.xxxxxxx1@xxxworld.com>
Delivered-To: abuse@my.com
Received: (qmail 58251 messnum 1045264 invoked from network[??.253.1??.45/mta05-svc.xxxworld.com]); 23 May 2002 07:57:43 -0000
Received: from mta05-svc.xxxworld.com (??.253.1??.45)
 by relay06.my.com (qp 58251) with SMTP; 23 May 2002 07:57:43 -0000
Received: from Esinbv ([.104.196.20]) by mta05-svc.ntlworld.com
         (InterMail vM.4.01.03.27 201-229-121-127-20010626) with SMTP
         id <20020523075648.XUEN2755.mta05-svc.xxxworld.com@Esinbv>
         for <abuse@my.com>; Thu, 23 May 2002 08:56:48 +0100
From: remove_usa <remove_usa@excite.com>
To: abuse@my.com
Subject: A  WinXP patch
MIME-Version: 1.0
Status:  U
X-UIDL: 1022140664.58289.relay06.xxxxxx.xxx
Content-Type: multipart/alternative;
     boundary=Zaex7738d69M2ZyY8d7lma3wGcx2EqqKddFH
Message-Id: <20020523075648.XUEN2755.mta05-svc.xxxworld.com@Esinbv>
Date: Thu, 23 May 2002 08:57:42 +0100

--Zaex7738d69M2ZyY8d7lma3wGcx2EqqKddFH
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY>

<FONT>Hello,This is a  WinXP patch

I wish you would like it.</FONT></BODY></HTML>

--Zaex7738d69M2ZyY8d7lma3wGcx2EqqKddFH
Content-Type: application/octet-stream;
     name=HREF.zl9
Content-Transfer-Encoding: base64
Content-ID: <Y16562Qc>

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g
RE9TIG1vZGUuDQ0KJAAAAAAAAAAYmX3gXPgTs1z4E7Nc+BOzJ+Qfs1j4E7Pf5B2zT/gTs7Tn
GbNm+BOzPucAs1X4E7Nc+BKzJfgTs7TnGLNO+BOz5P4Vs134E7NSaWNoXPgTswAAAAAAAAAA

And so on...

 

Hi Checkout, looks like a Klez.H infection, see the text in it
<FONT>Hello,This is a  WinXP patch

I wish you would like it.</FONT></BODY></HTML>
If you got it in TXT format in your email you are lucky. I get them daily and most of time the moment the email comes in the preview the attachment shows up.

You see it has a very strange header, they seem to collect email addresses and names from everywhere, i wondered if they copy all to a very large database and grab ad randum names as senders, have several which i never heard of or of senders whose abuse departments i informed about their infected users.

 

Ah...thanks, Jooske!  I figured it was malware of some description but I didn't know exactly what!

I get them in Outlook Express but they're always encoded rather than executable.  Strange...

 

This isn't it?  Oh well!  Sure, be my guest.

(Hmm...so how come AVG and ZAP mailsafe didn't spot this nasty?)

 

Ah!  If that's what's happened, the I lurv ZAP even more than before!  I might take it out to dinner tonight, ply it with a good wine, and later on...well who knows.

Thanks for the pointer, Paul - I've shut my laptop down for now (going home soon) but I'll check the logs this evening, and report back.

Cheers, m'dear!  

 

The mailsafe of ZAPro changes the extension into something not-executable, derpending on the original extension; if there is an attachment visible, you'll see most of time two files, one with the frame exploit, the other the infection itself; i ever got a screenshot of somebody of his preview window and an html file in that; the URL on that seems to be one to update/upgrade the infection on the victims system, so i was really fast with leaving from that one as it started the download immediately and without asking, even though it should have been in the restricted zone, but.....
Standard OE after upgrading to 6.0 with the many security patches should move all the emails to be viewed from the restricted zone. So these infections should not be able to run in any ways.

 

All I can say is that it's a good job it was a virus and not a trojan, otherwise we'd have another boxing match tonight....  

 

Klez is an I-worm to my knowledge
But you did not run the thing anyway, and with WormGuard around as well it sh/would be stopped by that too. The z19 was done by Za/Zapro mailsafe to prevent running yes.

The URL i mentioned was something.com and the com was not changed by the persons mailsafe, but of course it could have been an executable file_ name.com!
Seeing several a day by now have them in several colors and sizes/ extensions, but i'm not even looking into their sources. They can have the exploit on an html file, which mailsafe doesnot change, but which i advice not to click on as it will start a download etc.

For me it doesn't matter which Klez A-Z it is, they're just all nasties and not worth to fight for