EXPLOIT-- what is this and what do I do

[MZB]

David:

OK -- I can do the first email. I can delete that from the deleted files
folder.

But don't forget the copy that resides in:
c:\RECYCLER\S-1-5-~1\DC1273.BAK/[From "postmaster"

| <[email protected]>][Date Thu, 28 Dec 2006 00:10:54 -0500]/html
| suspicion: Exploit.HTML.Iframe.FileDownload

Now, that DC1273.BAK is a backup of my deleted files folder. Can I delete
that entire file too? Well, I can, but do you know if OE will recreate a new
backup of my deleted files folder? I hope so.

Mel

From: "MZB" <[email protected]>

| David:
|
| I still have problems, kind of, but perhaps I have a handle on matters?
|
| I ran Kasp: It said:
|
| Current object: c:\
|
| Sector Objects : 0 Known viruses : 1
| Files : 288743 Virus bodies : 6
| Folders : 6049 Disinfected : 0
| Archives : 8123 Deleted : 0
| Packed : 296 Warnings : 0
| Suspicious : 2
| Scan speed (Kb/sec) : 0 Corrupted : 0
| Scan time : 01:49:48 I/O Errors : 0| The two suspicious ones are:
|
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
| rom "postmaster" <[email protected]>][Date Thu, 28 Dec 2006
| 00:10:54 -0500]/html suspicion: Exploit.HTML.Iframe.FileDownload
|
| c:\RECYCLER\S-1-5-~1\DC1273.BAK/[From "postmaster"
| <[email protected]>][Date Thu, 28 Dec 2006 00:10:54 -0500]/html
| suspicion: Exploit.HTML.Iframe.FileDownload
|
| >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>...
|
| I found the first file in my deleted files box (no attachment or
anything).
| The second one must be the same file (there appears to be a back-up, as
the
| extension indicates. in the RECYCLER folder???)
|
| I'm not sure what action to take, if any. Should I delete the email from
my
| deleted folder. I assume it then goes to the recycler folder. Do I then
| delete the DC1273.bak from the RECYCLER folder?
|
| Or do I do nothing?
|
| Now, the known virus is:
|
|
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
| rom Garland Y. Bobby <[email protected]>][Date Fri, 29 Dec 2006
| 17:45:07 -0500]/postcard.exe infected: Email-Worm.Win32.Luder.a.
|
| This occurs 6 times, so I assume that's what is meant by the VIRUS
BODIES
| statistic above.
|
| These are all postcard.exe attachments in emails I deleted. I am 99.99%
sure
| I never opened any of the attachments (I do NOT open attachments).
|
| SO, where do I go from here? Do things look okay? Should I be deleting
| anything?
|
| Mel


You received email with an IFrame Exploit.

You need to go into your email software (Outlook Express) and delete that
email message.

 

[MZB]

David:

Two other general questions:
1) I've learned that the Exploit is not a virus. But it is code that seeks a
vulnerability in some program/application. It then does something. When it
does whatever it does, am I correct that one of the AV programs should spot
it (I assume that's why we ran those programs?). So if the exploit did its
thing would there be a worm or virus? Or is it some other malware that the
AV program should pick up.

2) Do we even have an answer as to why the file that led to my original post
was 167K but 0K when I tried to upload it or send it?

Mel

From: "MZB" <[email protected]>

| David:
|
| I still have problems, kind of, but perhaps I have a handle on matters?
|
| I ran Kasp: It said:
|
| Current object: c:\
|
| Sector Objects : 0 Known viruses : 1
| Files : 288743 Virus bodies : 6
| Folders : 6049 Disinfected : 0
| Archives : 8123 Deleted : 0
| Packed : 296 Warnings : 0
| Suspicious : 2
| Scan speed (Kb/sec) : 0 Corrupted : 0
| Scan time : 01:49:48 I/O Errors : 0| The two suspicious ones are:
|
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
| rom "postmaster" <[email protected]>][Date Thu, 28 Dec 2006
| 00:10:54 -0500]/html suspicion: Exploit.HTML.Iframe.FileDownload
|
| c:\RECYCLER\S-1-5-~1\DC1273.BAK/[From "postmaster"
| <[email protected]>][Date Thu, 28 Dec 2006 00:10:54 -0500]/html
| suspicion: Exploit.HTML.Iframe.FileDownload
|
| >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>...
|
| I found the first file in my deleted files box (no attachment or
anything).
| The second one must be the same file (there appears to be a back-up, as
the
| extension indicates. in the RECYCLER folder???)
|
| I'm not sure what action to take, if any. Should I delete the email from
my
| deleted folder. I assume it then goes to the recycler folder. Do I then
| delete the DC1273.bak from the RECYCLER folder?
|
| Or do I do nothing?
|
| Now, the known virus is:
|
|
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
| rom Garland Y. Bobby <[email protected]>][Date Fri, 29 Dec 2006
| 17:45:07 -0500]/postcard.exe infected: Email-Worm.Win32.Luder.a.
|
| This occurs 6 times, so I assume that's what is meant by the VIRUS
BODIES
| statistic above.
|
| These are all postcard.exe attachments in emails I deleted. I am 99.99%
sure
| I never opened any of the attachments (I do NOT open attachments).
|
| SO, where do I go from here? Do things look okay? Should I be deleting
| anything?
|
| Mel


You received email with an IFrame Exploit.

You need to go into your email software (Outlook Express) and delete that
email message.

 

[MZB]

Correction:

The RECYLER folder does NOT normally contain a B/U of the deleted files
folder.

It is the recycle bin folder.

For some reason, that same email must have been there.

Anyway, I emptied the recycle bin and now the c:\RECYCLER is empty.

Mel

From: "MZB" <[email protected]>

| David:
|
| I still have problems, kind of, but perhaps I have a handle on matters?
|
| I ran Kasp: It said:
|
| Current object: c:\
|
| Sector Objects : 0 Known viruses : 1
| Files : 288743 Virus bodies : 6
| Folders : 6049 Disinfected : 0
| Archives : 8123 Deleted : 0
| Packed : 296 Warnings : 0
| Suspicious : 2
| Scan speed (Kb/sec) : 0 Corrupted : 0
| Scan time : 01:49:48 I/O Errors : 0| The two suspicious ones are:
|
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
| rom "postmaster" <[email protected]>][Date Thu, 28 Dec 2006
| 00:10:54 -0500]/html suspicion: Exploit.HTML.Iframe.FileDownload
|
| c:\RECYCLER\S-1-5-~1\DC1273.BAK/[From "postmaster"
| <[email protected]>][Date Thu, 28 Dec 2006 00:10:54 -0500]/html
| suspicion: Exploit.HTML.Iframe.FileDownload
|
| >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>...
|
| I found the first file in my deleted files box (no attachment or
anything).
| The second one must be the same file (there appears to be a back-up, as
the
| extension indicates. in the RECYCLER folder???)
|
| I'm not sure what action to take, if any. Should I delete the email from
my
| deleted folder. I assume it then goes to the recycler folder. Do I then
| delete the DC1273.bak from the RECYCLER folder?
|
| Or do I do nothing?
|
| Now, the known virus is:
|
|
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
| rom Garland Y. Bobby <[email protected]>][Date Fri, 29 Dec 2006
| 17:45:07 -0500]/postcard.exe infected: Email-Worm.Win32.Luder.a.
|
| This occurs 6 times, so I assume that's what is meant by the VIRUS
BODIES
| statistic above.
|
| These are all postcard.exe attachments in emails I deleted. I am 99.99%
sure
| I never opened any of the attachments (I do NOT open attachments).
|
| SO, where do I go from here? Do things look okay? Should I be deleting
| anything?
|
| Mel


You received email with an IFrame Exploit.

You need to go into your email software (Outlook Express) and delete that
email message.

 

[MZB]

Ah... I think I've figured out how such a B/U got in the recycle bin.

Every so often, when you close OE, it offers to compact folders. When I say
YES, part of the compacting process is to B/U each folder in OE, do the
compacting, and when successful it deletes the B/U file. For small folders,
the B/U might be done in memory only. But for large folders like my deleted
files folder (which I never empty), it saves the B/U somewhere and then
deletes it.

That's how it got in the recycle bin.

David -- thanks for your help.

I'm hoping this episode is OVER!!

Mel

From: "MZB" <[email protected]>

| David:
|
| I still have problems, kind of, but perhaps I have a handle on matters?
|
| I ran Kasp: It said:
|
| Current object: c:\
|
| Sector Objects : 0 Known viruses : 1
| Files : 288743 Virus bodies : 6
| Folders : 6049 Disinfected : 0
| Archives : 8123 Deleted : 0
| Packed : 296 Warnings : 0
| Suspicious : 2
| Scan speed (Kb/sec) : 0 Corrupted : 0
| Scan time : 01:49:48 I/O Errors : 0| The two suspicious ones are:
|
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
| rom "postmaster" <[email protected]>][Date Thu, 28 Dec 2006
| 00:10:54 -0500]/html suspicion: Exploit.HTML.Iframe.FileDownload
|
| c:\RECYCLER\S-1-5-~1\DC1273.BAK/[From "postmaster"
| <[email protected]>][Date Thu, 28 Dec 2006 00:10:54 -0500]/html
| suspicion: Exploit.HTML.Iframe.FileDownload
|
| >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>...
|
| I found the first file in my deleted files box (no attachment or
anything).
| The second one must be the same file (there appears to be a back-up, as
the
| extension indicates. in the RECYCLER folder???)
|
| I'm not sure what action to take, if any. Should I delete the email from
my
| deleted folder. I assume it then goes to the recycler folder. Do I then
| delete the DC1273.bak from the RECYCLER folder?
|
| Or do I do nothing?
|
| Now, the known virus is:
|
|
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
| rom Garland Y. Bobby <[email protected]>][Date Fri, 29 Dec 2006
| 17:45:07 -0500]/postcard.exe infected: Email-Worm.Win32.Luder.a.
|
| This occurs 6 times, so I assume that's what is meant by the VIRUS
BODIES
| statistic above.
|
| These are all postcard.exe attachments in emails I deleted. I am 99.99%
sure
| I never opened any of the attachments (I do NOT open attachments).
|
| SO, where do I go from here? Do things look okay? Should I be deleting
| anything?
|
| Mel


You received email with an IFrame Exploit.

You need to go into your email software (Outlook Express) and delete that
email message.

 

[ProNews/2 User]

I restored the file (to a different directory so I can access it quicker).
But I was unable to attach it to send it.
First AVG popped up.
I disabled AVG but OE wouldn't let me do it (it stripped the file
attachment).
I then tried it with my Yahoo email account and it wouldn't let me do it.
Any other ideas?? Also, why can't I attach the file?

If you _really_ want to sent the file to someone, you should package
it up
in a password protected .ZIP or .RAR file. Then you can attach the
protected archive to an e-mail that includes the required password to
open
the file.

The reason for password protecting it is to keep AV scanners (like
AVG)
from opening the archive and yanking the file out of it.

[snip]

Do you think the banishment to the Virus Vault will take care of the
problem?

That's the purpose of the vault. The file's name is changed and it
gets
encrypted. Unless you tell AVG to restore the file, it's virtually
unaccessible and un-executable.

AVG is doing exactly what it's supposed to do. Make absolutely sure
that
you have enabled automatic updates in its setup routines. It _does_
do a
very good job.

Best regards,
Marc.

 

[David H. Lipman]

From: "ProNews/2 User" <marclewis.nospam.303@comcast[.]net>


|
| If you _really_ want to sent the file to someone, you should package
| it up
| in a password protected .ZIP or .RAR file. Then you can attach the
| protected archive to an e-mail that includes the required password to
| open
| the file.
|
| The reason for password protecting it is to keep AV scanners (like
| AVG)
| from opening the archive and yanking the file out of it.
|
| [snip]|
| That's the purpose of the vault. The file's name is changed and it
| gets
| encrypted. Unless you tell AVG to restore the file, it's virtually
| unaccessible and un-executable.
|
| AVG is doing exactly what it's supposed to do. Make absolutely sure
| that
| you have enabled automatic updates in its setup routines. It _does_
| do a
| very good job.
|
| Best regards,
| Marc.

That would be couter-productive when sending a suspect to Virus Total and is
contraindicated.

 

[David H. Lipman]

From: "MZB" <[email protected]>

| David:
|
| OK -- I can do the first email. I can delete that from the deleted files
| folder.
|
| But don't forget the copy that resides in:
| c:\RECYCLER\S-1-5-~1\DC1273.BAK/[From "postmaster"
|>> <[email protected]>][Date Thu, 28 Dec 2006 00:10:54 -0500]/html
|>> suspicion: Exploit.HTML.Iframe.FileDownload
|
| Now, that DC1273.BAK is a backup of my deleted files folder. Can I delete
| that entire file too? Well, I can, but do you know if OE will recreate a new
| backup of my deleted files folder? I hope so.
|
| Mel


That's the Trash Can. Dump the Trash Can (Recycle Bin).

 

[David H. Lipman]

From: "MZB" <[email protected]>

| David:
|
| Two other general questions:
| 1) I've learned that the Exploit is not a virus. But it is code that seeks a
| vulnerability in some program/application. It then does something. When it
| does whatever it does, am I correct that one of the AV programs should spot
| it (I assume that's why we ran those programs?). So if the exploit did its
| thing would there be a worm or virus? Or is it some other malware that the
| AV program should pick up.


It should if it is known or can heuristic scanning if it looks malicious.


|
| 2) Do we even have an answer as to why the file that led to my original post
| was 167K but 0K when I tried to upload it or send it?
|
| Mel
|

None.

 

[ProNews/2 User]

From: "ProNews/2 User" <marclewis.nospam.303@comcast[.]net>

| The reason for password protecting it is to keep AV scanners (like
| AVG) from opening the archive and yanking the file out of it. [snip]
That would be couter-productive when sending a suspect to Virus
Total and is contraindicated.

This would be so in the case of a direct upload; but what I was
referring to was being able to attach it to an e-mail.

--
******************************************
* Best regards,
* Marc.
* Formerly of New Orleans, LA (USA)
* Now resident in Meridian, MS (USA)
* FIDONET=1:396/45 INTELEC=239:600/70
* TELNET://bbs.sursum-corda.com
* FTP://ftp.sursum-corda.com
******************************************
Remove anti-spam devices to reply by e-mail.
A: Because it reverses the logical flow of conversation.
Q: Why is top posting frowned upon?

 

[David H. Lipman]

From: "ProNews/2 User" <marclewis.nospam.303@comcast[.]net>

| On Sun, 14 Jan 2007 19:08:31 UTC, "David H. Lipman"

From: "ProNews/2 User" <marclewis.nospam.303@comcast[.]net>

|
|>> The reason for password protecting it is to keep AV scanners (like
|>> AVG) from opening the archive and yanking the file out of it.
| [snip]|
| This would be so in the case of a direct upload; but what I was
| referring to was being able to attach it to an e-mail.
|

Either in sending in email or direct upload, don't submit archive files to Virus Total. Not
all the scanners are set to scan within them.

This is why I use an email address that has NO anti virus scanner associated with it.