Emails with Attachments that LOOK like a Virus

[jverduin]

Hello,

I've received on our system several emails to end-users that have all
of the properties of some known viruses, but the attachments are not
really infected. Here is an example of what we receive:
Sender: Varies
Subject: Urgent
Body:
Hi

Sorry, I forgot to send an important
document to you in that last email. I had an important phone call.
Please checkout attached doc file when you have a moment.

Best Regards
Attachment: help.zip

The file is definitely not a virus, and has been examined by Symantec
and McAfee who confirmed it is clean. We also get random extensions,
mostly .exe or .zip files.

Has anyone else seen files like this?
Thanks in advance,

Joel VerDuin
Wausau School District

 

[Roger Wilco]

Hello,

I've received on our system several emails to end-users that have all
of the properties of some known viruses, but the attachments are not
really infected. Here is an example of what we receive:
Sender: Varies
Subject: Urgent
Body:
Hi

Sorry, I forgot to send an important
document to you in that last email. I had an important phone call.
Please checkout attached doc file when you have a moment.

Best Regards
Attachment: help.zip

The file is definitely not a virus,

How did you determine this? What is in the zip file?

and has been examined by Symantec
and McAfee who confirmed it is clean.

AV software can't confirm that something is "clean", only that "nothing
was found". There is an important difference between those two
statements.

We also get random extensions,
mostly .exe or .zip files.

Probably a new variant of an e-mail vector worm.

http://us.mcafee.com/virusInfo/?id=description&virus_k=129466

 

[David H. Lipman]

With an email message such as that with a named file as you have shown the chances of being
an infector are EXTREMELY high.

Your best bet, delete the email.

If your curiosity has the better of you, submit the ZIP file to Virus Total --
http://www.virustotal.com/flash/index_en.html which will test the file against several AV
vendor's scanner. The post the EXACT report.

--
Dave
BTW: Posting your true, not a munged, email address in UseNet is an invitation to receive
additional infectors via email.



| Hello,
|
| I've received on our system several emails to end-users that have all
| of the properties of some known viruses, but the attachments are not
| really infected. Here is an example of what we receive:
| Sender: Varies
| Subject: Urgent
| Body:
| Hi
|
| Sorry, I forgot to send an important
| document to you in that last email. I had an important phone call.
| Please checkout attached doc file when you have a moment.
|
| Best Regards
| Attachment: help.zip
|
| The file is definitely not a virus, and has been examined by Symantec
| and McAfee who confirmed it is clean. We also get random extensions,
| mostly .exe or .zip files.
|
| Has anyone else seen files like this?
| Thanks in advance,
|
| Joel VerDuin
| Wausau School District
|

 

[kurt wismer]

Hello,

I've received on our system several emails to end-users that have all
of the properties of some known viruses, but the attachments are not
really infected. Here is an example of what we receive: [snip]
The file is definitely not a virus, and has been examined by Symantec
and McAfee who confirmed it is clean. We also get random extensions,
mostly .exe or .zip files.

Has anyone else seen files like this?
Thanks in advance,

it stands to reason that just about everyone has seen something like
that - and for good reason...

email worms send themselves out in messages that look like real emails
(to trick the user of course)... it should come as no surprise then
that real emails wind up looking like those sent by email worms...

 

[jverduin]

How did you determine this? What is in the zip file?


AV software can't confirm that something is "clean", only that "nothing
was found". There is an important difference between those two
statements.


Probably a new variant of an e-mail vector worm.

http://us.mcafee.com/virusInfo/?id=description&virus_k=129466

 

[John Coutts]

Hello,

I've received on our system several emails to end-users that have all
of the properties of some known viruses, but the attachments are not
really infected. Here is an example of what we receive:
Sender: Varies
Subject: Urgent
Body:
Hi

Sorry, I forgot to send an important
document to you in that last email. I had an important phone call.
Please checkout attached doc file when you have a moment.

Best Regards
Attachment: help.zip

The file is definitely not a virus, and has been examined by Symantec
and McAfee who confirmed it is clean. We also get random extensions,
mostly .exe or .zip files.

Has anyone else seen files like this?
Thanks in advance,

Joel VerDuin
Wausau School District

*************** REPLY SEPARATER ***************
This is fairly common if the email has been through a server that checks for
virus's. For example, you can forward an email from our filtering service that
has been quarantined, and it will send an attachment with the same name as the
original attachment, but it has been substituted with a small text file that
says something like "Virus removed!". It can also happen if the message is a
"bounced" file that has faked your email address as the return address. Some
servers will return the message complete with virus, and some servers will
remove or substitute the file.

J.A. Coutts

 

[jverduin]

*************** REPLY SEPARATER ***************
This is fairly common if the email has been through a server that checks for
virus's. For example, you can forward an email from our filtering service that
has been quarantined, and it will send an attachment with the same name as the
original attachment, but it has been substituted with a small text file that
says something like "Virus removed!". It can also happen if the message is a
"bounced" file that has faked your email address as the return address. Some
servers will return the message complete with virus, and some servers will
remove or substitute the file.

J.A. Coutts

What you suggest would make sense if it were a text file, it is some
sort of binary file. If it were a bounced file returned in tact, then
it would seem that the file should be detected as a virus, but it is
not.

Would it be possible that the file is being "cleaned" by the sending
system, and then passed on in some sort of altered format?
Thanks,

Joel

 

[John Coutts]

What you suggest would make sense if it were a text file, it is some
sort of binary file. If it were a bounced file returned in tact, then
it would seem that the file should be detected as a virus, but it is
not.

Would it be possible that the file is being "cleaned" by the sending
system, and then passed on in some sort of altered format?
Thanks,

Joel

************** REPLY SEPARATER ***************
Not very likely, as it is too much work for a server to do routinely. You can
sometimes get a clue as to what it is by loading it into NotePad, which is a
safe operation because NotePad does not support scrpting. If you find the
sentence "This program cannot be run in DOS mode.", then it is an executable.

J.A. Coutts

 

[jverduin]

************** REPLY SEPARATER ***************
Not very likely, as it is too much work for a server to do routinely. You can
sometimes get a clue as to what it is by loading it into NotePad, which is a
safe operation because NotePad does not support scrpting. If you find the
sentence "This program cannot be run in DOS mode.", then it is an executable.

J.A. Coutts

J.A.,

The following is from an attachment received today. It is an attachment
named archive.doc.exe. These are the first couple of lines when looked
at through a text editor:

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG
1vZGUuDQ0KJAAAAAAAAABGXurlAj+EtgI/hLYCP4S2gSOKthI/hLZtII+2BD+Etm0gjrY/P4S2g
TfZtgU/hLYCP4W2Pj+EtgQckrYAP4S2xTmCtgM/hLZSaWNoAj+EtgAAAAAAAAAAAAAAAAAAAABQ
RQAATAEDAObVd0EAAAAAAAAAAOAADwELAQYAAGACAAAQAAAAkAAAoPECAACgAAAAAAMAAABAAAA
QAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAQAwAAEAAAAAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAA
AAABAAAAAAAAAAAAAAAKQDAwDgAAAAAAADAKQDAAAAAAAAAAAAAAAA

Hopefully, I do not look like I am nuts. If our gateway scanner (which
does a great job), does not detect a virus, our desktop product does
not detect a virus, and Symantec has examined it at their offices and
not detected a virus, then what the heck is it? Maybe I am just too
curious, and ought to move on?

 

[GSV Three Minds in a Can]

Bitstring <[email protected]>, from
the wonderful person (e-mail address removed)12.wi.us said

Hopefully, I do not look like I am nuts. If our gateway scanner (which
does a great job), does not detect a virus, our desktop product does
not detect a virus, and Symantec has examined it at their offices and
not detected a virus, then what the heck is it?

It could be practically anything. All you need to know if that you don't
want to run it. Trust me, I can compile and deliver at least a zillion
..exes, all of which ravage your system, none of which are currently
known to the virus scanner (nor would be, unless the propagate widely).

Viruses are a specific class of (rapidly spreading, self propagating)
malware. 'Del *.*', however encoded and delivered, is not a virus. You
still do not want to run it.

Maybe I am just too
curious, and ought to move on?

Yes.

 

[Gabriele Neukam]

On that special day, , ([email protected]) said...

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG
1vZGUuDQ0KJAAAAAAAAABGXurlAj+EtgI/hLYCP4S2gSOKthI/hLZtII+2BD+Etm0gjrY/P4S2g
TfZtgU/hLYCP4W2Pj+EtgQckrYAP4S2xTmCtgM/hLZSaWNoAj+EtgAAAAAAAAAAAAAAAAAAAABQ
RQAATAEDAObVd0EAAAAAAAAAAOAADwELAQYAAGACAAAQAAAAkAAAoPECAACgAAAAAAMAAABAAAA
QAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAQAwAAEAAAAAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAA
AAABAAAAAAAAAAAAAAAKQDAwDgAAAAAAADAKQDAAAAAAAAAAAAAAAA

This is base64 code, which means 3the executable was transformed into a
7bit code, a very common method to transfer files with unusual
characters by mail, and keep the characters from being munged.

Unusual characters are a hint that an executable might be in the
attachment.

I decoded the base64 to
MZ   ?? ? @ à º ?
Í!?
LÍ!This program cannot be run in DOS mode.
$ F^êå??¶??¶??¶#¦¶??¶m ¶??¶m ´¶???¶7Ù¶??¶??¶>??¶?¶ ?
?¶Å9?¶??¶Rich??¶ PE L
 æÕwA à 


 `   ñ    @       
     ? à  ?

It *is* an executable. Not even an archive, but a plain exe file.


Gabriele Neukam

(e-mail address removed)

 

[Roger Wilco]

************** REPLY SEPARATER ***************
Not very likely, as it is too much work for a server to do routinely. You can
sometimes get a clue as to what it is by loading it into NotePad, which is a
safe operation because NotePad does not support scrpting. If you find the
sentence "This program cannot be run in DOS mode.", then it is an

executable.

True, but it should be mentioned that the absence of that string does
not mean that it is not an executable. What percentage of malware
programs actually include this DOS stub I wonder?