Flutterby™! : The end is nigh

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

The end is nigh

2003-05-31 21:38:32.424432+02 by Shawn 4 comments

It has finally happened. Somebody has taken the recent practice of trojan horse e-mail virus/worm delivery and gotten... well, either smart or nasty - depending on your outlook (no pun intended). Today, I received a malicious payload attached to what otherwise is a virtually indestinguishable MAILER-DAEMON error response. My only clues were,

  • I'd only recently sent e-mails to known and established addresses (family, etc.), and
  • The attached "error" - which I was, of course, supposed to open - came as an HTML Application file (.hta)

See the comments for more details.

[ related topics: Microsoft virus Spam ]

comments in ascending chronological order (reverse):

#Comment made: 2003-05-31 21:48:43.690488+02 by: Shawn [edit history]

This is the message I received (my information has been changed to protect me and my ISP):

Return-Path: <mailer-DAEMON@yahoo.com>
Received: from my.ispserver.com (root@localhost)
	by mydomain.net (8.11.6/8.11.6) with ESMTP id h4V2Qmf22734
	for <myemail@mydomain.net>; Fri, 30 May 2003 19:26:48 -0700
X-ClientAddr: 68.52.144.49
Received: from yahoo.com (pcp524863pcs.nash01.tn.comcast.net [68.52.144.49])
	by my.ispserver.com (8.11.6/8.11.6) with SMTP id h4V2Qlx22713
	for <myemail@mydomain.net>; Fri, 30 May 2003 19:26:47 -0700
Date: Sat, 31 May 2003 10:27:06 +0000
From: Mail Delivery Subsystem <mailer-DAEMON@yahoo.com>
Subject: Mail Delivery Error [VRInGuwbdUnZwqEP]
To: Me <myemail@mydomain.net>
References: <8ADI83CH81FF62K4@mydomain.net>
In-Reply-To: <8ADI83CH81FF62K4@mydomain.net>
Message-ID: <6733BDH9H12J1929@yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_CCHBI86J93LG3B1G_FGA3GLKK"
Status:  O

Here were errors processing you mail. Please, read detailed information
in the attachment


    ----- The following addresses had permanent fatal errors -----


myemail@mydomain.net


    (reason: 550 myemail@mydomain.net unknown user account)


----- Transcript of session follows -----


... while talking to mail.yahoo.com.:


>>> RCPT To:myemail@mydomain.net


<<< 550 myemail@mydomain.net unknown user account


550 5.1.1 myemail@mydomain.net... User unknown

#Comment made: 2003-05-31 22:00:37.956746+02 by: Shawn

The payload defines a string of machine code (hex values) which appears to be the actual malicious code, writes it to a local file and then runs it. I hesitate to post the code here but if any of the Flutterby regulars (or somebody for whom one of them can vouch for) wants it to dissect let me know.

#Comment made: 2003-06-01 19:37:22.873999+02 by: TheSHAD0W

I've gotten it too. I think it's called the "support@microsoft.com" worm. (It also arrives in emails from that source.)

#Comment made: 2003-06-02 04:20:08.967669+02 by: other_todd

I looked at the payload (got one of these the other day), but other than the calls to save the hex dump to a file, my acumen is not sufficient to figure it out. I'm certainly not gonna run the thing. I don't know if the end is nigh but I find this fairly disturbing.

Comment policy

We will not edit your comments. However, we may delete your comments, or cause them to be hidden behind another link, if we feel they detract from the conversation. Commercial plugs are fine, if they are relevant to the conversation, and if you don't try to pretend to be a consumer. Annoying endorsements will be deleted if you're lucky, if you're not a whole bunch of people smarter and more articulate than you will ridicule you, and we will leave such ridicule in place.

Flutterby™ is a trademark claimed by

Dan Lyke
for the web publications at www.flutterby.com and www.flutterby.net.