LISTSERV - HP3000-L Archives

HP3000-L Archives

February 2003, Week 3

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L February 2003, Week 3

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	A new kind of Spam
From:	Denys Beauchemin <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Mon, 17 Feb 2003 08:09:51 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (58 lines)

The present discussions are all nice and interesting but this morning, I
came across something I have not seen before.  Perhaps I have simply missed
it in the past, but this seems new to me.

In my LookOut 2000 mail client I have installed several dozen rules to
filter out the large amount of spam I receive.  One of the final rules is
that if the message in question has an attachment and does not come from
several known sources, it gets moved to the SPAM folder, where it joins
others that are filtered out according to other rules.

We also use Norton Anti-Virus here and the definitions are current.

So this morning, I am going through my spam folder to rescue any message
that may have landed there by mistake, an increasingly rare occurrence as my
rules steadily improve.  I noticed a message from
[log in to unmask] with the subject line of Delivery failure.
The message has an attachment, which is why it landed in the spam folder.
This looked rather strange, so I sent the message to a text file and opened
it.  The body of the message is innocuous.  It reads as follows:

"Hi. This is the mailer-daemon. All the detailed information is in the
attachmet.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out."

Not exactly a message that I would classify as something a company would
have set in their mailer-daemon.  The spelling mistake, the very familiar
terms used and the lack of any corporate identity point to some sort of
bogus message.  The invitation to read the "attachmet" is also very
suspicious.

So I opened the message in LookOut and saw that it had an HTA file called
error.hta.  The HTA extension is an HTML application.  Why would a mailer
daemon send HTML application attachment as part of a delivery failure
message.  So I save the file to a text file on my desktop and opened it with
notepad.

Well, let me tell you, this is very revealing.

The file is a java script that loads a few thousand hex values into a file
called c:\program files\uliuli.exe after fiddling with the values on my one.
At the end of the script, it launches the newly created VBS program.  The
rest of the file contains what may appear as a valid delivery failure,
except for a few things.  The intended recipient is me and the date of the
message is February 14, 2002 over a year ago.

Pretty sneaky, I wonder what the VBS program does.  I am not going to test
it.

If anyone is interested I can send them the text file of the attachment.

My question is this, is this something new in the on-going virus wars?

Denys

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU