-
June 17th, 2003, 06:49 PM
#1
Heads up on spoofed McAfee emails
Don't know how widespread this is, but saw it filter in through some interesting equipment we have here...At the very least, it is a good example of how to spot fake email:
Code:
HELO <filtered>
220 ***02**************************************************************
MAIL FROM:<av_patch@mcafee.com>
250 <filtered> G'day [24.102.166.188]! Why do you call yourself <filtered>?
The last line should be reason prima one that you know this email is fake. The server
response of 'Why do you call yourself' (note it could also happen if it fails to do a reverse).
Also note that the email purports to be be from av_patch@mcafee.com, and that 24.102.166.188 isn't anywhere near the McAfee domain...
Actually it is ::
CustName: Rogers Cable Inc. MTMC
Address: 1 Mount Pleasant Road
City: Toronto
StateProv: ON
Code:
RCPT TO:<filteredl>
250 sender <av_patch@mcafee.com> OK
DATA
250 recipient <filtered> OK
From: McAfee Inc.<av_patch@mcafee.com>
To: Filtered
Subject: Patch for Elkern.gen
Date: Tue,17 Jun 2003 13:25:08 PM
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
MIME-Version: 1.0
Content-Type:multipart/mixed;
boundary=#r0xx#
--#r0xx#
Content-Type: text/html
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY>
<FONT></FONT>
Klez.H is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
We developed this free immunity tool to defeat the malicious virus.
You only need to run this tool once,and then Klez will never come into your PC</BODY></HTML>
--#r0xx#
Content-Type: application/octet-stream;
name=FixElkern.com
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="FixElkern.com"
The last thing to be worried about is the nice little .com attachment...
Pretty poor job at a little social engineering, but I am sure that person will find plenty of stupid people to run it for them...
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
June 17th, 2003, 07:01 PM
#2
Re: Heads up on spoofed McAfee emails
This is probably just some poor sap that got bitten by Klez.H or maybe it's a new variant?
Read through this entry at nai.
You'll see the text closely matches.
Did the .com trigger anything on a AV?
Try submitting it at webimmune
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 17th, 2003, 07:20 PM
#3
Well, I was aware that Klez did some stuff like that, but what I didn't show is that the same user was also sending unsolicited porn email to our users as well, which made me wonder what the person was up to...
We have multiple levels of protections and it didn't go anywhere, but it was pretty amusing nonetheless
It was mime encoded within the email itself...do you know of a way to get it out of there without bringing it up in a client? I was just about to sit down and play with it to see what it was...
/nebulus
Thanks for the link, I probably posted it a little sooner than I should have, was just now getting around to looking up more information about it...
Finally got a look at the attachment and you were absolutely right, it was Klez. I guess I will just let the post sit out here since it does at least document a couple of ways to spot faked email. Thanks for the info.,
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
June 18th, 2003, 02:37 PM
#4
Re: Heads up on spoofed McAfee emails
Content-Type: application/octet-stream;
name=FixElkern.com
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename
Klez is not the only virus to use the FixElkern ploy.. others have used this to great effect.
Try Yaha ... The following is short list from McAfee's report on this bug..
mind I had a pile of hit on Google search on the file name..
The attachment will be one of the following file names -
Beautifull.scr
Body_Building.scr
Britney_Sample.scr
Codeproject.scr
Cupid.scr
FixElkern.com
FixKlez.com
FreakOut.exe
Free_Love_Screensavers.scr
Hacker.scr
Hacker_The_LoveStory.scr
Hardcore4Free.scr
I_Love_You.scr
Jenna_Jemson.scr
King_of_Figthers.exe
KOF.exe
KOF_Demo.exe
KOF_Fighting.exe
Found Here on McAfee AV site
Also A news artical on a similar theme here
do a quick Google and check my results.. certainly even when what you see is familuar.. check anyway.. I got caught on a varient of "Lovgate"..
Cheers
BTW: I would be a royal ***** and not thank you for posting the heads up.. This sort of reminder is needed.. we can "forget" about these social enginering tricks.. personaly 95% of the traffic from McAfee that my Mail server recieves is bloody SPAM.. and the other 5% is warnings sent to me via McAfee by friends.. Check here .. or ledgitamate Warnings from McAfee..........unfortunatly 100% is binned at the Server B4 it reaches my Inbox..
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|