Welcome to Orange Frog Productions Scams, Shams & Flim-Flams Section [Banner]

Search this site powered by FreeFind

Page Title:

Malware Email Example #003 (Virus Found in Picture)

Please be sure to read my Malware Home Page

NOTE: This page Under Construction/Conversion
This page has not been completely converted to OFPv2 Standards.
When this is completed, this paragraph will go away.
Meanwhile, all external links on this page open a new window.

Things I Did, Below

I, personally, receive email in HTML format. The following was received (and looked) like I received it.

  • I removed my email addresses. These came to various accounts and some no longer exist. There are places on this site you can get hold of me if you wish or need to. They are protected from spambots using JavaScript, but all you have to do is click on them.
  • All scammer and related email addresses, and any actual website links have been changed, at least putting spaces into them. They appear as underlined blue links, though they aren't.
  • Any notes I added in the actual letter are in square brackets ("[" "]"), are bold, red in color, and highlighted. If what I found "behind the links" (email or website) are different than what was displayed, I will include them in this type of note.
  • All spelling, spacing, line-wrapping, and punctuation errors are the ones that appeared in the original received email. (I may or may not analyze some or all of these.)

Malware Email Example 003
Received 10/21/2006 (!!! TWO in ONE DAY! See above (001c))

Norton caught this one before I received it.

Subject: Virus Found in message "picture"

Symantec AntiVirus found a virus in an attachment from den <den.clark @ elamex.com>.

Attachment:  text.zip
Threat: W32.Stration.CX@mm
Action taken:  Quarantine succeeded
File status:  Infected

The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment

[NOTE: The original subject was "picture". The original "message" was the last paragraph ("The message cannot be... attachment"). Norton's prefix almost confused me on that!

I left names, email addresses, and phone numbers in here for the search engines to find. DO NOT TRY TO CONTACT THEM! They sent a virus! -LE]

This email included an attached .ZIP (WinZip File), SUPPOSEDLY containing the "binary attachment".

Example Email 003 Headers (AFTER NORTON)
10/21/2006

If you're not interested in the technical aspect of the headers, skip to Example 003 Notes

Return-path: <den.clark @ elamex.com>
Received: from mta3.manage.insightcom.com ([172.31.249.156])
by msb2.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006))
with ESMTP id <0J7I006KV8M231C0 @ msb2.manage.insightcom.com> for
my email address; Sat, 21 Oct 2006 17:20:26 -0400 (EDT)
Received: from asav07.insightbb.com ([172.31.249.123])
by mta3.manage.insightcom.com
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006))
with ESMTP id <0J7I005LX8M1LU62 @ mta3.manage.insightcom.com> for
my email address (ORCPT my email address); Sat,
21 Oct 2006 17:20:26 -0400 (EDT)
Received: from dslc-082-082-115-163.pools.arcor-ip.net (HELO Greisner-2)
([82.82.115.163]) by asav07.insightbb.com with SMTP; Sat,
21 Oct 2006 05:17:02 -0400
Received: (qmail 1405 invoked by uid 0); Sat, 21 Oct 2006 11:16:44 -0000)
Received: from unknown (HELO qci) (192.168.2.6) by 192.168.2.100 with SMTP;
Sat, 21 Oct 2006 11:16:44 +0000
Date: Sat, 21 Oct 2006 11:10:44 +0200
From: den <den.clark @ elamex.com>
Subject: Virus Found in message "picture"
To: my email address
Message-id: <5aodcu$90ncbd @ asav07.manage.insightbb.com>
MIME-version: 1.0
Content-type: multipart/mixed; boundary=-----------D74B3362F71FC629
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ao8CmbGBOUVSUnOjXWdsb2JhbACLOQFdLIEj
X-IronPort-AV: i="4.09,337,1157342400";
d="scr'96,83?zip'96,83,48?scan'96,83,48,48,208,83,96";
a="302756205:sNHT80504928"
X-IronPort-AV: i="4.09,338,1157342400";
d="scr'96,83?zip'96,83,48?scan'96,83,48,48,208,83,96";
a="302756205:sNHT79174764"
Original-recipient: rfc822;my email address

-------------D74B3362F71FC629
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: base64

U3ltYW50ZWMgQW50aVZpcnVzIGZvdW5kIGEgdmlydXMgaW4gYW4gYXR0YWNobWVudCBmcm9t
IGRlbiA8ZGVuLmNsYXJrQGVsYW1leC5jb20+Lg0KDQoNCkF0dGFjaG1lbnQ6ICB0ZXh0Lnpp
cA0KVGhyZWF0OiBXMzIuU3RyYXRpb24uQ1hAbW0NCkFjdGlvbiB0YWtlbjogIFF1YXJhbnRp
bmUgc3VjY2VlZGVkDQpGaWxlIHN0YXR1czogIEluZmVjdGVkDQoNCg0KVGhlIG1lc3NhZ2Ug
Y2Fubm90IGJlIHJlcHJlc2VudGVkIGluIDctYml0IEFTQ0lJIGVuY29kaW5nDQphbmQgaGFz
IGJlZW4gc2VudCBhcyBhIGJpbmFyeSBhdHRhY2htZW50

-------------D74B3362F71FC629
Content-Type: APPLICATION/OCTET-STREAM; name="text.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="text.zip"

UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA==

-------------D74B3362F71FC629--

[NOTE: I left names, email addresses, and phone numbers in here for the search engines to find. DO NOT TRY TO CONTACT THEM! They sent a virus! The shrunken section is apparently what Norton placed or left in my email.-LE]

Notes

  • I have absolutely NO CLUE who den.clark @ elamex.com is. The address is NOT in my email address list.
  • It's not a TEXT or EMAIL file that was returned, but a ZIP file (WinZip Compressed file, named text,zip.
  • Being from someone I don't know, and an executable, I WILL NOT OPEN IT.

I, personally, would normally LOOK at a zip file, but I have faith in my virus scanning software, and would probably NOT open the file inside the zip. Please, DON'T TRY THIS AT HOME!

Send comments/questions about this page to Bill Sanders at:

Go to Malware (Viruses, Adware, Spyware) Home page
Go to Malware Examples Home Page
Go to NEXT Malware Example Page (last in sequence is not a link)

| Home | Main | Owner | Scams, Shams & More Flim-Flams | Glossary | Sitemap | Contact |

Send email to Bill Sanders ()
with questions or comments about this page or site.

This site, all text and graphics (unless otherwise noted) on it
were designed, developed and published by Bill Sanders of Orange Frog Productions.
It and it's CSS was validated and complies with both the: CSS and HTML 4.01 validators from W3C.
NOTE: All CSS validates except the "New Window Buttons" which include some invalid code (ie: hacks),
added PicoSearch Tables, and warnings for using transparent backgrounds when color foregrounds defined.
Copyright © 2003, 2004, 2005, 2006, 2007 by Bill Sanders / Full site last modified: October 21, 2006
Any reproduction, printing, or selling of this content is prohibited without express written consent from William D. Sanders.
ctr