New virus?

[Randall]

I don't know if this is really new or not, but I don't remember seeing this tactic before:

Quote:

Subject: Mail Delivery (failure email@domain.com)

If the message will not displayed automatically,
follow the link to read the delivered message.

Received message is available at:
www.domain.com/inbox/info/read.php?sessionid-11255

If I hadn't already been tipped off by Mozilla's status bar that the link actually pointed to a location on the hard drive (ie, an attachment), the poor grammar and the fact that the domain in question is on an NT server and doesn't run PHP should have.

But a non-technical user wouldn't pick up on any of these warning signs (well, maybe the grammar). It doesn't immediately look like an attachment, at least not in Moz.

Randall

[cindik]

I think that's one of the later versions of Bagle. I believe this behavior started with Rev. Q.

http://www.trendmicro.com/vinfo/viru...ame=PE_BAGLE.Q
http://us.mcafee.com/virusInfo/defau...virus_k=101063
http://www.f-prot.com/virusinfo/desc...s/bagle_q.html
http://securityresponse.symantec.com...agle.t@mm.html

[Randall]

It doesn't match their description of Bagle.Q -- there is an actual attachment, disguised as a link -- so I don't think it's that one. We've received three of them so far today, so whatever it is, it's a busy little jerk.

Randall

[Wassercrats]

Is there ordinarily something on people's hard drives that could be damaging if opened? Maybe the email was trying to activate a previously downloaded virus.

[cindik]

Quote:

Originally posted by Randall:
It doesn't match their description of Bagle.Q -- there is an actual attachment, disguised as a link -- so I don't think it's that one. We've received three of them so far today, so whatever it is, it's a busy little jerk.

Randall

My mistake - I've been getting a lot of Bagles lately. It looks like Netsky: http://www.trendmicro.com/vinfo/viru...TSKY.P&VSect=T

[Randall]

Quote:

Is there ordinarily something on people's hard drives that could be damaging if opened? Maybe the email was trying to activate a previously downloaded virus.

No, that's just the way Mozilla treats links to attached files -- they look like

   mailbox://c|/path-to-file

I think they lead to the actual file where the email is stored on disk, but I'm not sure.

Well, I did a little experiment, and found that it does show an attachment in Outlook Express -- so it's a flaw in Mozilla that's disguising the true nature of the virus.

Viruses suck.

Randall

[cindik]

[Wassercrats]

I was just looking at how temporary internet files are stored. There's a bracketed number appended to the original file name. I'm not sure why that's needed for caching a web page, but to prevent different email attachments with the same file name from confusing things, something like the date and time should be added to the file name, and if it is, I don't see how an emailer could know the name.

[Randall]

Yep, that's the one, Cindi. In Mozilla it doesn't show the message.scr attachment -- until you've clicked on the link and hosed your system. (This is in v1.3 ... I oughta upgrade it and see if they've fixed that yet.)

I hope the little brats involved in this "virus war" get decapitated soon.

Quote:

I'm not sure why that's needed for caching a web page, but to prevent different email attachments with the same file name from confusing things, something like the date and time should be added to the file name, and if it is, I don't see how an emailer could know the name.

They wouldn't. It's the link in the email that matters:

Quote:

<a href=cid:031401Mfdab4$3f3dL780$73387018@57W81fa70 height=0 width=0>www.domain.com/inbox/info/read.php?sessionid-11255</a>

That's what it looks like in the HTML source of the email. The link is pointing to a specific MIME segment of the email, which is the virus attachment. It's up to the email program to decide how to represent that to the user. IE shows it as "mhtml:mid://00000000/!cid:031401M..." etc when you hover the mouse over the link. Of course, if you're not paying attention it looks like a link to domain.com.

Randall

[JRepici]

I'm getting these by the dozen too...

Always the same cid. Is there any more information on the Win-process this clid points to?

Also of note: It looks like someone who uses English as a second language or who possibly used an automated translation service.

re:

Code:

[EDIT]
ON second thought, it's probably a bad idea to show the HTML here after all.
[/EDIT]