One strange email...

By Joswin
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

Joswin

Posted
  • Author
Posted

ta

actually the part of that source code (the main part) iframe src=cid:U7g967U9l603 dont seem to make any sense to me. :ermm: I mean its src is not really a source it just seems jibberish.

Link to comment
Share on other sites
Grand Master

Hypercube

Posted
Posted

Strange, the email seems to may have been spoofed...the return and sent addresses dont match. The sent addr has a .tw extension meaning that it would have came from taiwan but the return email says it from peter-yeung@topet-intl.com which the domain is registered in Hong Kong. Strange piece of source code...

Link to comment
Share on other sites
Grand Master

Joswin

Posted
  • Author
Posted

I just noticed that hotmail says the email is 162k in size? As there was only a few lines of code and no attachment how is that possible? Unless there was an attachment and hotmail screened it out or something? :s

Link to comment
Share on other sites
Grand Master

Joswin

Posted
  • Author
Posted
Originally posted by Keldyn

If i were you Robert, i would be scanning my PC for any sign of Klez and its many variants right about now.

Just downloading NAV trial now :( thing is i cant help it opening the email as Outlook has a habbit of opening the top most new email when u click on MSN - Inbox. :/

Link to comment
Share on other sites
Grand Master

Joswin

Posted
  • Author
Posted

Neither W32.Klez.gen@mm nor W32.Elkern.gen were found on your computer.

So that's something at least. :) Getting that free AV program now. The NAV trial was 30mb :s and on 56k thats a while.

*What i really dont understand is the size of the message, 162k, and NO attachment. just 3 lines of HTML code. I mean WTF? Its impossible, unless it did have an attachment and hotmail filtered it out. That jibberish might have been the code to launch the attachment maybe when the message was opend.

Link to comment
Share on other sites
Grand Master

Joswin

Posted
  • Author
Posted

Right i ran that scanner it found a virus unfortunatley. But it found 1 known virus, JS/Seeker and one unknown virus (well what it said it thinks is a virus) in the BitDefender plug in?

Anyway only one file seemed to have the JS/Seeker virus and it was in my Tempory Internet folder. I checked around the system and it dont seem to have activated its payload. Its not changed my start page etc or left any of its files behind. It leaves backup's of the changed reg settings (nice of them at least). But no, i think i was lucky this time. :) Lets hope.

C:Documents and SettingsRob HagueLocal SettingsTemporary Internet FilesCONTENT.IE5ATMZW701DEFAUL~1.JS Virus found JS/Seeker

That was the only file, i just had a thought that anyone could have put this in a website. eBay for instance :( i go there a lot and in that folder was a lot of stuff from eBay (pictures and junk). Ah well.

Link to comment
Share on other sites
Grand Master

Hypercube

Posted
Posted

Hotmail is pretty good about filtering web code in emails, so i would not be suprised it a bulk of the payload code was missing in email. The size is registered before the screening, I think. By the way, disable html emails for now.

Link to comment
Share on other sites
Grand Master

Joswin

Posted
  • Author
Posted

Here is another small problem. :)

AVG insists i have another unknown virus. Yet its a program i just installed and its the same file it cleaned away last time so its impossible for it to be infected as ive just installed it again.

It says that C:Program FilesSOFTWINBitDefender for MSN MessengerPLUGINSPKUNPACK.DLL May be infected by unknown virus

Its from BitDefender, that software neowin has on its software news page. Its supposed to protect MSN from virus's.

Anyway anyone else get this when they scan that file? Ive got these DAT's as upto date as possible. I think i should invest in McAffee or Norton AV proggies at some point soon :) hehe

Link to comment
Share on other sites
Enthusiast

dilmonen

Posted
Posted

Yeah, that's one of the virii floating about right now that you got. If it didn't have an HTML attachment of some sort, it got stripped. I run Outlook XP/2002 and it prevents all script from running and removes all HTML/URL attachments. I got one like that the other day. And to make matters worse, I started getting e-mail notifications that I was sending out virus infected mail to people I've never even communicated with.

Here's the lovely part about Klez and the like: It will fake the "From" and "Reply" information in the headers with information from your system. Since I run a website, people had pages cached in their Temporary Internet Files that had my e-mail address in there, plus they had e-mailed me as well. So they got infected, but the virus pulled my e-mail as the address to spoof, so I start getting mail about being infected and sending virus infected e-mail to people. Tons of fun, huh?

Make sure to have excellent AV, keep it up to date, and turn off HTML e-mail if you can. Text only is a lifesaver. :D

Link to comment
Share on other sites
Grand Master

Joswin

Posted
  • Author
Posted

Yeah im using Outlook 2002 as well :) which is why i couldnt understand how i could have gotten anything when i looked at it. Still the virii i got could be unreleated, i will have to be more careful on eBay me thinks, i have a feeling thats where this virii script came from. :)

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.