On Monday 17 February 2003 6:09 am, Denys Beauchemin wrote:
> this morning, I came across something I have not seen before. ...
> So this morning, I am going through my spam folder to rescue any message
> that may have landed there by mistake, ... I noticed a message from
> [log in to unmask] with the subject line of Delivery failure.
...
> "Hi. This is the mailer-daemon. All the detailed information is in the
> attachmet.
> I'm afraid I wasn't able to deliver your message to the following
> addresses. This is a permanent error; I've given up. Sorry it didn't work
> out."
>
> Not exactly a message that I would classify as something a company would
> have set in their mailer-daemon.
SPAM notwithstanding, usually it would be YOUR own mailer [actually, your
ISP's] that generates messages like this, and I think the "sorry it didn't
work out" actually appears as the default text for one of them out there (I
know I've seen it on legit bounces)
> The spelling mistake, the very familiar
> terms used and the lack of any corporate identity point to some sort of
> bogus message. The invitation to read the "attachmet" is also very
> suspicious.
true true true -- usually the bounce message is inline, or at the very least
it should be "text/plain" for a MIME type and most e-mail clients will
display it even though it qualifies as an "attachment" [or attachmet]
> So I opened the message in LookOut and saw that it had an HTA file called
> error.hta. The HTA extension is an HTML application. Why would a mailer
> daemon send HTML application attachment as part of a delivery failure
> message.
Insidious indeed -- I thinkthis may have been spawned by a recent slashdot
article on someone who got a few "angry letters" because his e-mail was
randomly inserted as the "reply-to" address -- I've had a few like that, I've
basically ignored them and I don't think I've gotten any "why are you
spamming me?" type messages. I think some spammers "caught a clue" that
bounce messages tend to get past filters [though obviously not in your case,
OTOH, you DID check on it manually...] so they are trying that angle to get
their ad in front of your eyeballs.
> So I save the file to a text file on my desktop and opened it
> with notepad.... The file is a java script that loads a few thousand hex
> values into a file called c:\program files\uliuli.exe [then] launches the
> newly created VBS program.
hmm... VBS programs don't usually have .exe extensions -- tell me, do the "hex
values" appear to be mostly in the "printable ASCII" range, as in "just
text"? I'm guessing that the VB program is a known/viral program that would
be trapped by any number of anti-virus programs, so it has been "obfuscated"
so that the scanners won't recognize it [in effect, the java program is an
encrypted program loader...]
> If anyone is interested I can send them the text file of the attachment.
Sure, I'll take a look at it (I'm running linux, so even if it is "malicious"
VB code, it simply won't execute on my machine because it IS microsoft code
:) ) If the majority of "codes" poked into the file appear to be letters and
symbols, you might even hack up the java routine to simply put the bytes into
a file, but then not execute it [and, of course, change the extension so
DOS/windows doesn't try to execute it if you accidentally click on it later]
> My question is this, is this something new in the on-going virus wars?
I'm guessing "yes, it's new" from the description you've given so far and the
recent slashdot article (see below) points out this as "likely"
http://yro.slashdot.org/article.pl?sid=03/02/12/1730219&mode=thread&tid=111
--
Yet another Blog: http://osnut.homelinux.net
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|