Anybody seen this one?

A

Al puzzuoli

Today, I got a message that has all the characteristics of a Virus but
if it is, it's one that's not detected by Nod32.
The subject of the message was Bug Letter. It came along with an
attachment called dpkxoqd.exe which is only 1 kb in size.

The message source is as follows:

Thanks for any info.



Received: from mxsf01.cluster1.charter.net ([209.225.28.201])
by sccrmxc11.comcast.net (sccrmxc11) with ESMTP
id <20040618171020s1100kdoe1e>; Fri, 18 Jun 2004 17:10:20 +
0000
X-Originating-IP: [209.225.28.201]
Received: from mxip15.cluster1.charter.net (mxip15a.cluster1.charter.net
[209.225.28.145])
by mxsf01.cluster1.charter.net (8.12.11/8.12.11) with ESMTP id
i5IH8mYv034418
for <[email protected]>; Fri, 18 Jun 2004 13:08:48 -0400 (EDT)
Date: Fri, 18 Jun 2004 13:08:48 -0400 (EDT)
Received: from ts46-01-qdr3963.mdfrd.or.charter.com (HELO booqq)
(68.118.37.135)
by mxip15.cluster1.charter.net with SMTP; 18 Jun 2004 13:08:47 -0400
Message-Id: <[email protected]>
FROM: "ms inet message storage service" <[email protected]>
TO: "Mail Client" <[email protected]>
SUBJECT: Bug Letter
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="nbhfcrgzay"
X-SpamPal: PASS

--nbhfcrgzay
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD></HEAD>
<BODY>
<iframe src=3D"cid:lesvfimqtxfptz" height=3D0 width=3D0></iframe>
<BR>I'm afraid =
I wasn't able to deliver your message =
to the following addresses:<BR>
<BR><BR><BR>Undelivered mail to <B>[email protected]</B>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>
</BODY></HTML>

--nbhfcrgzay
Content-Type: audio/x-midi; name="dpkxoqd.exe"
Content-Transfer-Encoding: base64
Content-Id: <lesvfimqtxfptz>



--nbhfcrgzay--
 
S

sh4d03

Doubtful it's a virus - if anything it could be a tracking executable -
i.e. you double click/launch the exe file and it reports back to a
server that the Email was received. In which case you be perpetually
nailed with SPAM forever more.
sh4d03

Al said:
Today, I got a message that has all the characteristics of a Virus but
if it is, it's one that's not detected by Nod32.
The subject of the message was Bug Letter. It came along with an
attachment called dpkxoqd.exe which is only 1 kb in size.

The message source is as follows:

Thanks for any info.



Received: from mxsf01.cluster1.charter.net ([209.225.28.201])
by sccrmxc11.comcast.net (sccrmxc11) with ESMTP
id <20040618171020s1100kdoe1e>; Fri, 18 Jun 2004 17:10:20 +
0000
X-Originating-IP: [209.225.28.201]
Received: from mxip15.cluster1.charter.net (mxip15a.cluster1.charter.net
[209.225.28.145])
by mxsf01.cluster1.charter.net (8.12.11/8.12.11) with ESMTP id
i5IH8mYv034418
for <[email protected]>; Fri, 18 Jun 2004 13:08:48 -0400 (EDT)
Date: Fri, 18 Jun 2004 13:08:48 -0400 (EDT)
Received: from ts46-01-qdr3963.mdfrd.or.charter.com (HELO booqq)
(68.118.37.135)
by mxip15.cluster1.charter.net with SMTP; 18 Jun 2004 13:08:47 -0400
Message-Id: <[email protected]>
FROM: "ms inet message storage service" <[email protected]>
TO: "Mail Client" <[email protected]>
SUBJECT: Bug Letter
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="nbhfcrgzay"
X-SpamPal: PASS

--nbhfcrgzay
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD></HEAD>
<BODY>
<iframe src=3D"cid:lesvfimqtxfptz" height=3D0 width=3D0></iframe>
<BR>I'm afraid =
I wasn't able to deliver your message =
to the following addresses:<BR>
<BR><BR><BR>Undelivered mail to <B>[email protected]</B>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>
</BODY></HTML>

--nbhfcrgzay
Content-Type: audio/x-midi; name="dpkxoqd.exe"
Content-Transfer-Encoding: base64
Content-Id: <lesvfimqtxfptz>



--nbhfcrgzay--
Click to expand...


--
If you require more assistance or if my suggestion works please E-mail
me at sh4d03 [at] TPG [dot] com [dot] au - please make ensure you insert
the word "Newsgroup" before anything else in the subject line.
Thanks,
Sh4d03
 
J

Jason Wade

Today, I got a message that has all the characteristics of a Virus but
if it is, it's one that's not detected by Nod32.
Click to expand...

It's a swen with the virus executable removed. Earthlink does that too,
but they put a note in the message telling you the virus was removed-which
makes it less mysterious.
 
F

FromTheRafters

sh4d03 said:
Doubtful it's a virus - if anything it could be a tracking executable -
i.e. you double click/launch the exe file and it reports back to a
server that the Email was received. In which case you be perpetually
nailed with SPAM forever more.
sh4d03
Click to expand...

It *is* attempting to use an autoexecution exploit.

The "Iframe" version of the "Incorrect MIME Type" exploit.


Submit the attachment to other vendors' scanners (as well as Nod32) to
see what they make of it. The attempted exploit alone makes it malware
(the e-mail) even if the program (attachment) is a joke program IMAO.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

reposting this 5
What is source of this virus spam? 2
Some file I never wanted were sent to anomymous address so much. 1
Viruses and Worms in e-mails sent to me.. Please,.Any one can help? 6
spam query 3
Can someone confirm what this is? 2
Unrecognized Returned E-mail 2
My email address being spoofed or have I a virus? 3

Top