Flutterby™! : The end is nigh

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

The end is nigh

2003-05-31 19:38:32.424432+00 by Shawn 4 comments

It has finally happened. Somebody has taken the recent practice of trojan horse e-mail virus/worm delivery and gotten... well, either smart or nasty - depending on your outlook (no pun intended). Today, I received a malicious payload attached to what otherwise is a virtually indestinguishable MAILER-DAEMON error response. My only clues were,

  • I'd only recently sent e-mails to known and established addresses (family, etc.), and
  • The attached "error" - which I was, of course, supposed to open - came as an HTML Application file (.hta)

See the comments for more details.

[ related topics: Microsoft virus Spam ]

comments in ascending chronological order (reverse):

#Comment made: 2003-05-31 19:48:43.690488+00 by: Shawn [edit history]

This is the message I received (my information has been changed to protect me and my ISP):

Return-Path: <mailer-DAEMON@yahoo.com>
Received: from my.ispserver.com (root@localhost)
	by mydomain.net (8.11.6/8.11.6) with ESMTP id h4V2Qmf22734
	for <myemail@mydomain.net>; Fri, 30 May 2003 19:26:48 -0700
X-ClientAddr: 68.52.144.49
Received: from yahoo.com (pcp524863pcs.nash01.tn.comcast.net [68.52.144.49])
	by my.ispserver.com (8.11.6/8.11.6) with SMTP id h4V2Qlx22713
	for <myemail@mydomain.net>; Fri, 30 May 2003 19:26:47 -0700
Date: Sat, 31 May 2003 10:27:06 +0000
From: Mail Delivery Subsystem <mailer-DAEMON@yahoo.com>
Subject: Mail Delivery Error [VRInGuwbdUnZwqEP]
To: Me <myemail@mydomain.net>
References: <8ADI83CH81FF62K4@mydomain.net>
In-Reply-To: <8ADI83CH81FF62K4@mydomain.net>
Message-ID: <6733BDH9H12J1929@yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_CCHBI86J93LG3B1G_FGA3GLKK"
Status:  O

Here were errors processing you mail. Please, read detailed information
in the attachment

    ----- The following addresses had permanent fatal errors -----
myemail@mydomain.net
(reason: 550 myemail@mydomain.net unknown user account)
----- Transcript of session follows -----
... while talking to mail.yahoo.com.:
>>> RCPT To:myemail@mydomain.net
<<< 550 myemail@mydomain.net unknown user account
550 5.1.1 myemail@mydomain.net... User unknown

#Comment made: 2003-05-31 20:00:37.956746+00 by: Shawn

The payload defines a string of machine code (hex values) which appears to be the actual malicious code, writes it to a local file and then runs it. I hesitate to post the code here but if any of the Flutterby regulars (or somebody for whom one of them can vouch for) wants it to dissect let me know.

#Comment made: 2003-06-01 17:37:22.873999+00 by: TheSHAD0W

I've gotten it too. I think it's called the "support@microsoft.com" worm. (It also arrives in emails from that source.)

#Comment made: 2003-06-02 02:20:08.967669+00 by: other_todd

I looked at the payload (got one of these the other day), but other than the calls to save the hex dump to a file, my acumen is not sufficient to figure it out. I'm certainly not gonna run the thing. I don't know if the end is nigh but I find this fairly disturbing.