Today, I got a message that has all the characteristics of a Virus but
if it is, it's one that's not detected by Nod32.
The subject of the message was Bug Letter. It came along with an
attachment called dpkxoqd.exe which is only 1 kb in size.

The message source is as follows:

Thanks for any info.



Received: from mxsf01.cluster1.charter.net ([209.225.28.201])
by sccrmxc11.comcast.net (sccrmxc11) with ESMTP
id <20040618171020s1100kdoe1e>; Fri, 18 Jun 2004 17:10:20 +
0000
X-Originating-IP: [209.225.28.201]
Received: from mxip15.cluster1.charter.net (mxip15a.cluster1.charter.net
[209.225.28.145])
by mxsf01.cluster1.charter.net (8.12.11/8.12.11) with ESMTP id
i5IH8mYv034418
for <(E-Mail Removed)>; Fri, 18 Jun 2004 13:08:48 -0400 (EDT)
Date: Fri, 18 Jun 2004 13:08:48 -0400 (EDT)
Received: from ts46-01-qdr3963.mdfrd.or.charter.com (HELO booqq)
(68.118.37.135)
by mxip15.cluster1.charter.net with SMTP; 18 Jun 2004 13:08:47 -0400
Message-Id: <36u7hu$(E-Mail Removed)>
FROM: "ms inet message storage service" <(E-Mail Removed)>
TO: "Mail Client" <(E-Mail Removed)>
SUBJECT: Bug Letter
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="nbhfcrgzay"
X-SpamPal: PASS

--nbhfcrgzay
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD></HEAD>
<BODY>
<iframe src=3D"cid:lesvfimqtxfptz" height=3D0 width=3D0></iframe>
<BR>I'm afraid =
I wasn't able to deliver your message =
to the following addresses:<BR>
<BR><BR><BR>Undelivered mail to <B>(E-Mail Removed)</B>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>
</BODY></HTML>

--nbhfcrgzay
Content-Type: audio/x-midi; name="dpkxoqd.exe"
Content-Transfer-Encoding: base64
Content-Id: <lesvfimqtxfptz>



--nbhfcrgzay--

Doubtful it's a virus - if anything it could be a tracking executable -
i.e. you double click/launch the exe file and it reports back to a
server that the Email was received. In which case you be perpetually
nailed with SPAM forever more.
sh4d03

Al puzzuoli wrote:
> Today, I got a message that has all the characteristics of a Virus but
> if it is, it's one that's not detected by Nod32.
> The subject of the message was Bug Letter. It came along with an
> attachment called dpkxoqd.exe which is only 1 kb in size.
>
> The message source is as follows:
>
> Thanks for any info.
>
>
>
> Received: from mxsf01.cluster1.charter.net ([209.225.28.201])
> by sccrmxc11.comcast.net (sccrmxc11) with ESMTP
> id <20040618171020s1100kdoe1e>; Fri, 18 Jun 2004 17:10:20 +
> 0000
> X-Originating-IP: [209.225.28.201]
> Received: from mxip15.cluster1.charter.net (mxip15a.cluster1.charter.net
> [209.225.28.145])
> by mxsf01.cluster1.charter.net (8.12.11/8.12.11) with ESMTP id
> i5IH8mYv034418
> for <(E-Mail Removed)>; Fri, 18 Jun 2004 13:08:48 -0400 (EDT)
> Date: Fri, 18 Jun 2004 13:08:48 -0400 (EDT)
> Received: from ts46-01-qdr3963.mdfrd.or.charter.com (HELO booqq)
> (68.118.37.135)
> by mxip15.cluster1.charter.net with SMTP; 18 Jun 2004 13:08:47 -0400
> Message-Id: <36u7hu$(E-Mail Removed)>
> FROM: "ms inet message storage service" <(E-Mail Removed)>
> TO: "Mail Client" <(E-Mail Removed)>
> SUBJECT: Bug Letter
> Mime-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="nbhfcrgzay"
> X-SpamPal: PASS
>
> --nbhfcrgzay
> Content-Type: text/html
> Content-Transfer-Encoding: quoted-printable
>
> <HTML>
> <HEAD></HEAD>
> <BODY>
> <iframe src=3D"cid:lesvfimqtxfptz" height=3D0 width=3D0></iframe>
> <BR>I'm afraid =
> I wasn't able to deliver your message =
> to the following addresses:<BR>
> <BR><BR><BR>Undelivered mail to <B>(E-Mail Removed)</B>
> <BR><BR><BR>Message follows:<BR><BR><BR><BR>
> </BODY></HTML>
>
> --nbhfcrgzay
> Content-Type: audio/x-midi; name="dpkxoqd.exe"
> Content-Transfer-Encoding: base64
> Content-Id: <lesvfimqtxfptz>
>
>
>
> --nbhfcrgzay--
>


--
If you require more assistance or if my suggestion works please E-mail
me at sh4d03 [at] TPG [dot] com [dot] au - please make ensure you insert
the word "Newsgroup" before anything else in the subject line.
Thanks,
Sh4d03

On Fri, 18 Jun 2004 23:13:54 -0500, Al puzzuoli wrote:

> Today, I got a message that has all the characteristics of a Virus but
> if it is, it's one that's not detected by Nod32.

It's a swen with the virus executable removed. Earthlink does that too,
but they put a note in the message telling you the virus was removed-which
makes it less mysterious.

--
Please place your reply beneath the other person's text.
Long discussions will flow more logically.

"sh4d03" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
> Doubtful it's a virus - if anything it could be a tracking executable -
> i.e. you double click/launch the exe file and it reports back to a
> server that the Email was received. In which case you be perpetually
> nailed with SPAM forever more.
> sh4d03

It *is* attempting to use an autoexecution exploit.

The "Iframe" version of the "Incorrect MIME Type" exploit.


> > <iframe src=3D"cid:lesvfimqtxfptz" height=3D0 width=3D0></iframe>

> > Content-Type: audio/x-midi; name="dpkxoqd.exe"

Submit the attachment to other vendors' scanners (as well as Nod32) to
see what they make of it. The attempted exploit alone makes it malware
(the e-mail) even if the program (attachment) is a joke program IMAO.