Anybody seen this one?

  • Thread starter Thread starter Al puzzuoli
  • Start date Start date
A

Al puzzuoli

Today, I got a message that has all the characteristics of a Virus but
if it is, it's one that's not detected by Nod32.
The subject of the message was Bug Letter. It came along with an
attachment called dpkxoqd.exe which is only 1 kb in size.

The message source is as follows:

Thanks for any info.



Received: from mxsf01.cluster1.charter.net ([209.225.28.201])
by sccrmxc11.comcast.net (sccrmxc11) with ESMTP
id <20040618171020s1100kdoe1e>; Fri, 18 Jun 2004 17:10:20 +
0000
X-Originating-IP: [209.225.28.201]
Received: from mxip15.cluster1.charter.net (mxip15a.cluster1.charter.net
[209.225.28.145])
by mxsf01.cluster1.charter.net (8.12.11/8.12.11) with ESMTP id
i5IH8mYv034418
for <[email protected]>; Fri, 18 Jun 2004 13:08:48 -0400 (EDT)
Date: Fri, 18 Jun 2004 13:08:48 -0400 (EDT)
Received: from ts46-01-qdr3963.mdfrd.or.charter.com (HELO booqq)
(68.118.37.135)
by mxip15.cluster1.charter.net with SMTP; 18 Jun 2004 13:08:47 -0400
Message-Id: <[email protected]>
FROM: "ms inet message storage service" <[email protected]>
TO: "Mail Client" <[email protected]>
SUBJECT: Bug Letter
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="nbhfcrgzay"
X-SpamPal: PASS

--nbhfcrgzay
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD></HEAD>
<BODY>
<iframe src=3D"cid:lesvfimqtxfptz" height=3D0 width=3D0></iframe>
<BR>I'm afraid =
I wasn't able to deliver your message =
to the following addresses:<BR>
<BR><BR><BR>Undelivered mail to <B>[email protected]</B>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>
</BODY></HTML>

--nbhfcrgzay
Content-Type: audio/x-midi; name="dpkxoqd.exe"
Content-Transfer-Encoding: base64
Content-Id: <lesvfimqtxfptz>



--nbhfcrgzay--
 
Doubtful it's a virus - if anything it could be a tracking executable -
i.e. you double click/launch the exe file and it reports back to a
server that the Email was received. In which case you be perpetually
nailed with SPAM forever more.
sh4d03

Al said:
Today, I got a message that has all the characteristics of a Virus but
if it is, it's one that's not detected by Nod32.
The subject of the message was Bug Letter. It came along with an
attachment called dpkxoqd.exe which is only 1 kb in size.

The message source is as follows:

Thanks for any info.



Received: from mxsf01.cluster1.charter.net ([209.225.28.201])
by sccrmxc11.comcast.net (sccrmxc11) with ESMTP
id <20040618171020s1100kdoe1e>; Fri, 18 Jun 2004 17:10:20 +
0000
X-Originating-IP: [209.225.28.201]
Received: from mxip15.cluster1.charter.net (mxip15a.cluster1.charter.net
[209.225.28.145])
by mxsf01.cluster1.charter.net (8.12.11/8.12.11) with ESMTP id
i5IH8mYv034418
for <[email protected]>; Fri, 18 Jun 2004 13:08:48 -0400 (EDT)
Date: Fri, 18 Jun 2004 13:08:48 -0400 (EDT)
Received: from ts46-01-qdr3963.mdfrd.or.charter.com (HELO booqq)
(68.118.37.135)
by mxip15.cluster1.charter.net with SMTP; 18 Jun 2004 13:08:47 -0400
Message-Id: <[email protected]>
FROM: "ms inet message storage service" <[email protected]>
TO: "Mail Client" <[email protected]>
SUBJECT: Bug Letter
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="nbhfcrgzay"
X-SpamPal: PASS

--nbhfcrgzay
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD></HEAD>
<BODY>
<iframe src=3D"cid:lesvfimqtxfptz" height=3D0 width=3D0></iframe>
<BR>I'm afraid =
I wasn't able to deliver your message =
to the following addresses:<BR>
<BR><BR><BR>Undelivered mail to <B>[email protected]</B>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>
</BODY></HTML>

--nbhfcrgzay
Content-Type: audio/x-midi; name="dpkxoqd.exe"
Content-Transfer-Encoding: base64
Content-Id: <lesvfimqtxfptz>



--nbhfcrgzay--
Click to expand...


--
If you require more assistance or if my suggestion works please E-mail
me at sh4d03 [at] TPG [dot] com [dot] au - please make ensure you insert
the word "Newsgroup" before anything else in the subject line.
Thanks,
Sh4d03
 
Today, I got a message that has all the characteristics of a Virus but
if it is, it's one that's not detected by Nod32.
Click to expand...

It's a swen with the virus executable removed. Earthlink does that too,
but they put a note in the message telling you the virus was removed-which
makes it less mysterious.
 
sh4d03 said:
Doubtful it's a virus - if anything it could be a tracking executable -
i.e. you double click/launch the exe file and it reports back to a
server that the Email was received. In which case you be perpetually
nailed with SPAM forever more.
sh4d03
Click to expand...

It *is* attempting to use an autoexecution exploit.

The "Iframe" version of the "Incorrect MIME Type" exploit.


Submit the attachment to other vendors' scanners (as well as Nod32) to
see what they make of it. The attempted exploit alone makes it malware
(the e-mail) even if the program (attachment) is a joke program IMAO.
 
Back
Top