![Welcome to Orange Frog Productions Scams, Shams & Flim-Flams Section [Banner]](images/ssff/ofp_banner_ssff.jpg)
Malware Email Example #001 (Mail server report.)
Please be sure to read my Malware Home Page
NOTE: This page Under Construction/Conversion
This page has not been completely converted to OFPv2 Standards.
When this is completed, this paragraph will go away.
Meanwhile, all external links on this page open a new window.
Things I Did, Below
I, personally, receive email in HTML format. The following was received (and looked) like I received it.
- I removed my email addresses. These came to various accounts and some no longer exist. There are places on this site you can get hold of me if you wish or need to. They are protected from spambots using JavaScript, but all you have to do is click on them.
- All scammer and related email addresses, and any actual website links have been changed, at least putting spaces into them. They appear as underlined blue links, though they aren't.
- Any notes I added in the actual letter are in square brackets ("[" "]"), are bold, red in color, and highlighted. If what I found "behind the links" (email or website) are different than what was displayed, I will include them in this type of note.
- All spelling, spacing, line-wrapping, and punctuation errors are the ones that appeared in the original received email. (I may or may not analyze some or all of these.)
Malware Email Example 001
Received 09/26/2006 (a), 10/18/2006 (b),
10/21/2006 (c)
Subject: Mail server report.
Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect
the computer unnoticeably.
After the penetrating into the computer the virus
harvests all the e-mail addresses and sends the copies
of itself to these e-mail
addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Customers support service
[NOTE: I left names, email addresses, and phone numbers in here for the search engines to find. DO NOT TRY TO CONTACT THEM! They sent a virus! -LE]
This email included an attached .EXE (executable program/file), SUPPOSEDLY containing "updates".
Example Email 001a Headers
09/26/2006
If you're not interested in the technical aspect of the headers, skip to Example 001c
Return-path: <secur @ megaman.com>
Received: from mta1.manage.insightcom.com
([172.31.249.152])
by msb2.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3
2006))
with ESMTP id
<0J6400JRSII5VJ50@msb2.manage.insightcom.com> for
my email address; Sun, 24 Sep
2006 20:54:05 -0400 (EDT)
Received: from asav12.insightbb.com ([172.31.249.123])
by mta1.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3
2006))
with ESMTP id <0J640090QIHRJTG1 @ mta1.manage.insightcom.com> for
my email address (ORCPT
my email address); Sun,
24 Sep 2006 20:54:05 -0400 (EDT)
Received: from dhcp-74-131-55-207.insightbb.com (HELO
home) ([74.131.55.207])
by asav12.insightbb.com with SMTP; Sun, 24 Sep 2006
20:53:37 -0400
Received: (qmail 3656 invoked by uid 0); Sun, 24 Sep
2006 20:51:29 -0000)
Received: from unknown (HELO pgpxfvrgy) (74.131.55.227)
by 74.131.55.207 with SMTP; Sun, 24 Sep 2006 20:51:29
+0000
Date: Sun, 24 Sep 2006 20:46:29 -0400
From: secur @ megaman.com
Subject: Mail server report.
To:
my email address
Message-id: <5ag45e$2vv6p6 @ asav12.manage.insightbb.com>
MIME-version: 1.0
Content-type: multipart/mixed;
boundary=-----------2E20FAE0127705B9
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AesRMyjDFkU9ikBpLIEg
X-IronPort-AV: i="4.09,210,1157342400";
d="exe'96,86?scan'96,86,208,96,86";
a="100637478:sNHT2973657294"
Original-recipient: rfc822;my email address
-------------2E20FAE0127705B9
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
See email text, above.
-------------2E20FAE0127705B9
Content-Type: APPLICATION/OCTET-STREAM;
name="Update-KB5843-x86.exe"
Content-transfer-encoding: base64
Content-Disposition: attachment; filename="Update-KB5843-x86.exe"
Large block of random-looking letters (this would be the actual executable program) removed.
-------------2E20FAE0127705B9--
[NOTE: I left names, email addresses, and phone numbers in here for the search engines to find. DO NOT TRY TO CONTACT THEM! They sent a virus! -LE]
Example Email 001b Headers
10/18/2006
Return-path: <sec @ vieng.com>
Received: from mta1.manage.insightcom.com ([172.31.249.152])
by msb2.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006))
with ESMTP id <0J7D0002F0HXRVG0 @ msb2.manage.insightcom.com> for
my email address; Wed, 18 Oct 2006 21:37:09 -0400 (EDT)
Received: from asav01.insightbb.com ([172.31.249.123])
by mta1.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006))
with ESMTP id <0J7D00BPZ0HWHQ82 @ mta1.manage.insightcom.com> for
my email address (ORCPT
my email address); Wed,
18 Oct 2006 21:37:09 -0400 (EDT)
Received: from igld-83-130-67-89.inter.net.il (HELO gal) ([83.130.67.89])
by asav01.insightbb.com with SMTP; Wed, 18 Oct 2006 21:36:58 -0400
Received: (qmail 1822 invoked by uid 0); Thu, 19 Oct 2006 03:36:00 -0000)
Received: from unknown (HELO jvtdxxvuvjt) (192.168.2.244)
by 192.168.2.100 with SMTP; Thu, 19 Oct 2006 03:36:00 +0000
Date: Thu, 19 Oct 2006 03:28:00 +0200
From: sec @ vieng.com<
Subject: Mail server report.
To: my email address
Message-id: <5aqh64$bqsm0f @ asav01.manage.insightbb.com>
MIME-version: 1.0
Content-type: multipart/mixed;
boundary=-----------4C63A4B67639EF76
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AR4FM/hyNkWLL2wBJYEp
X-IronPort-AV: i="4.09,326,1157342400";
d="exe'96,83?scan'96,83,208,96,83";
a="397301775:sNHT101526183"
Original-recipient: rfc822;my email
address
-------------4C63A4B67639EF76
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
See email text, above.
-------------4C63A4B67639EF76
Content-Type: APPLICATION/OCTET-STREAM;
name="Update-KB2312-x86.exe"
Content-transfer-encoding: base64
Content-Disposition: attachment;
filename="Update-KB2312-x86.exe"
Large block of random-looking letters (this would be the actual executable program) removed.
-------------4C63A4B67639EF76--
[NOTE: I left names, email addresses, and phone numbers in here for the search engines to find. DO NOT TRY TO CONTACT THEM! They sent a virus! -LE]
Example Email 001c
10/21/2006
THIS one was caught by Norton. I'm not sure why the others weren't, unless Norton's definitions were just updated. On THIS one, the email I got included Norton's change of the subject, and prefix to the message, itself:
Subject: Virus Found in message "Mail server report."
Symantec AntiVirus found a virus in an attachment from secur @ fcradio.net.
Attachment: Update-KB1615-x86.exe
Threat: W32.Stration.CX@mm
Action taken: Quarantine succeeded
File status: Infected
[NOTE: What followed the was same text as the email, above.]
Example Email 001c SOURCE (AFTER NORTON)
10/21/2006
If you're not interested in the technical background of the headers, skip to Example 001 Notes
Received: from mta1.manage.insightcom.com ([172.31.249.152])
by msb2.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006))
with ESMTP id <0J7I006R08S731C0 @ msb2.manage.insightcom.com> for
my email address; Sat, 21 Oct 2006 17:24:07 -0400 (EDT)
Received: from asav02.insightbb.com ([172.31.249.123])
by mta1.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006))
with ESMTP id <0J7I00LFE8S1XH51 @ mta1.manage.insightcom.com> for
my email address (ORCPT my email address); Sat,
21 Oct 2006 17:24:07 -0400 (EDT)
Received: from dslc-082-082-115-163.pools.arcor-ip.net (HELO Greisner-2)
([82.82.115.163]) by asav02.insightbb.com with SMTP; Sat,
21 Oct 2006 05:20:39 -0400
Received: (qmail 2384 invoked by uid 0); Sat, 21 Oct 2006 11:20:21 -0000)
Received: from unknown (HELO vwjgvjdjjjg) (192.168.2.99)
by 192.168.2.100 with SMTP; Sat, 21 Oct 2006 11:20:21 +0000
Date: Sat, 21 Oct 2006 11:15:21 +0200
From: secur @ fcradio.net
Subject: Virus Found in message "Mail server report."
To: my email address
Message-id: <5aqesq$bgnj9a @ asav02.manage.insightbb.com>
MIME-version: 1.0
Content-type: multipart/mixed; boundary=-----------2F9D6F5DF1AE31A6
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ao8CmaaCOUVSUnOjXWdsb2JhbACLKw5dLIEj
X-IronPort-AV: i="4.09,337,1157342400"; d="exe'96,83?scan'96,83,208,96,83";
a="386649386:sNHT81153864"
X-IronPort-AV: i="4.09,338,1157342400"; d="exe'96,83?scan'96,83,208,96,83";
a="386649386:sNHT86099202"
Original-recipient: rfc822;my email address
-------------2F9D6F5DF1AE31A6
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: base64
U3ltYW50ZWMgQW50aVZpcnVzIGZvdW5kIGEgdmlydXMgaW4gYW4gYXR0YWNobWVudCBmcm9t
IHNlY3VyQGZjcmFkaW8ubmV0Lg0KDQoNCkF0dGFjaG1lbnQ6ICBVcGRhdGUtS0IxNjE1LXg4
Ni5leGUNClRocmVhdDogVzMyLlN0cmF0aW9uLkNYQG1tDQpBY3Rpb24gdGFrZW46ICBRdWFy
YW50aW5lIHN1Y2NlZWRlZA0KRmlsZSBzdGF0dXM6ICBJbmZlY3RlZA0KDQoNCk1haWwgc2Vy
dmVyIHJlcG9ydC4NCg0KT3VyIGZpcmV3YWxsIGRldGVybWluZWQgdGhlIGUtbWFpbHMgY29u
dGFpbmluZyB3b3JtIGNvcGllcyBhcmUgYmVpbmcgc2VudCBmcm9tIHlvdXIgY29tcHV0ZXIu
DQoNCk5vd2FkYXlzIGl0IGhhcHBlbnMgZnJvbSBtYW55IGNvbXB1dGVycywgYmVjYXVzZSB0
aGlzIGlzIGEgbmV3IHZpcnVzIHR5cGUgKE5ldHdvcmsgV29ybXMpLg0KDQoNClVzaW5nIHRo
ZSBuZXcgYnVnIGluIHRoZSBXaW5kb3dzLCB0aGVzZSB2aXJ1c2VzIGluZmVjdCB0aGUgY29t
cHV0ZXIgdW5ub3RpY2VhYmx5Lg0KQWZ0ZXIgdGhlIHBlbmV0cmF0aW5nIGludG8gdGhlIGNv
bXB1dGVyIHRoZSB2aXJ1cyBoYXJ2ZXN0cyBhbGwgdGhlIGUtbWFpbCBhZGRyZXNzZXMgYW5k
IHNlbmRzIHRoZSBjb3BpZXMgb2YgaXRzZWxmIHRvIHRoZXNlIGUtbWFpbA0KYWRkcmVzc2Vz
DQoNClBsZWFzZSBpbnN0YWxsIHVwZGF0ZXMgZm9yIHdvcm0gZWxpbWluYXRpb24gYW5kIHlv
dXIgY29tcHV0ZXIgcmVzdG9yaW5nLg0KDQpCZXN0IHJlZ2FyZHMsDQpDdXN0b21lcnMgc3Vw
cG9ydCBzZXJ2aWNlDQo=
-------------2F9D6F5DF1AE31A6--
[NOTE: I left names, email addresses, and phone numbers in here for the search engines to find. DO NOT TRY TO CONTACT THEM! They sent a virus! The shrunken section is apparently what Norton placed or left in my email. -LE]
Notes
- I have absolutely NO CLUE who secur @ megaman.com, sec @ vieng.com, or secur @ fcradio.net are. These addresses are NOT in my email address list.
- It's not a TEXT or EMAIL file that was returned, but an EXE (Executable program, named Update-KB5843-x86.exe, Update-KB2312-x86.exe, and Update-KB1615-x86.exe, respectively
- Being from someone I don't know, and an executable, I WILL NOT OPEN IT.
This program names are close to the same as one received by my father (Update-kb6312-x86.exe) a few days after I received the second one. Even though he's very computer savvy, he clicked on it to "install the updates", and then had virus problems. He, apparently, hadn't updated his definitions, recently.
Guess I was right, huh?
See how sneaky they can be to get you to "click the attachment"?
Send comments/questions about this page to Bill Sanders at:
Go to Malware
(Viruses, Adware, Spyware) Home page
Go to Malware Examples Home Page
Go to NEXT
Malware Example Page (last in sequence is not a link)
Send email to Bill Sanders
()
with questions or comments about this page or site.
This site, all text and graphics (unless otherwise noted) on it
were designed, developed and published by Bill Sanders of Orange Frog Productions.
It and it's CSS was validated and complies with both the:
CSS and
HTML 4.01
validators from W3C.
NOTE: All CSS validates except the "New Window Buttons"
which include some invalid code (ie: hacks),
added PicoSearch Tables,
and warnings for using transparent backgrounds when color foregrounds defined.
Copyright © 2003, 2004, 2005, 2006, 2007 by Bill Sanders / Full site last modified: October 21, 2006
Any reproduction, printing, or selling of this content is
prohibited without express written consent from William D.
Sanders.
