Results 1 to 4 of 4

Thread: Heads up on spoofed McAfee emails

  1. #1
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356

    Heads up on spoofed McAfee emails

    Don't know how widespread this is, but saw it filter in through some interesting equipment we have here...At the very least, it is a good example of how to spot fake email:

    Code:
    HELO <filtered>
    220 ***02**************************************************************
    MAIL FROM:<av_patch@mcafee.com>
    250 <filtered> G'day [24.102.166.188]!  Why do you call yourself <filtered>?
    The last line should be reason prima one that you know this email is fake. The server
    response of 'Why do you call yourself' (note it could also happen if it fails to do a reverse).
    Also note that the email purports to be be from av_patch@mcafee.com, and that 24.102.166.188 isn't anywhere near the McAfee domain...

    Actually it is ::
    CustName: Rogers Cable Inc. MTMC
    Address: 1 Mount Pleasant Road
    City: Toronto
    StateProv: ON

    Code:
    RCPT TO:<filteredl>
    250 sender <av_patch@mcafee.com> OK
    DATA
    250 recipient <filtered> OK
    From: McAfee Inc.<av_patch@mcafee.com>
    To: Filtered
    Subject: Patch for Elkern.gen
    Date: Tue,17 Jun 2003 13:25:08 PM
    X-Mailer: Microsoft Outlook Express 5.50.4133.2400
    MIME-Version: 1.0
    Content-Type:multipart/mixed;
     boundary=#r0xx#
    
    --#r0xx#
    Content-Type: text/html
    charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable
    
    <HTML><HEAD></HEAD><BODY>
    <FONT></FONT>
    Klez.H is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
    
    Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
    
    We developed this free immunity tool to defeat the malicious virus.
    
    You only need to run this tool once,and then Klez will never come into your PC</BODY></HTML>
    
    --#r0xx#
    Content-Type: application/octet-stream;
    	name=FixElkern.com
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;
    filename="FixElkern.com"
    The last thing to be worried about is the nice little .com attachment...

    Pretty poor job at a little social engineering, but I am sure that person will find plenty of stupid people to run it for them...


    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    Re: Heads up on spoofed McAfee emails

    This is probably just some poor sap that got bitten by Klez.H or maybe it's a new variant?

    Read through this entry at nai.

    You'll see the text closely matches.

    Did the .com trigger anything on a AV?

    Try submitting it at webimmune
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Well, I was aware that Klez did some stuff like that, but what I didn't show is that the same user was also sending unsolicited porn email to our users as well, which made me wonder what the person was up to...

    We have multiple levels of protections and it didn't go anywhere, but it was pretty amusing nonetheless

    It was mime encoded within the email itself...do you know of a way to get it out of there without bringing it up in a client? I was just about to sit down and play with it to see what it was...


    /nebulus

    Thanks for the link, I probably posted it a little sooner than I should have, was just now getting around to looking up more information about it...

    Finally got a look at the attachment and you were absolutely right, it was Klez. I guess I will just let the post sit out here since it does at least document a couple of ways to spot faked email. Thanks for the info.,
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744

    Re: Heads up on spoofed McAfee emails

    Content-Type: application/octet-stream;
    name=FixElkern.com
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;
    filename
    Klez is not the only virus to use the FixElkern ploy.. others have used this to great effect.

    Try Yaha ... The following is short list from McAfee's report on this bug..
    mind I had a pile of hit on Google search on the file name..

    The attachment will be one of the following file names -
    Beautifull.scr
    Body_Building.scr
    Britney_Sample.scr
    Codeproject.scr
    Cupid.scr
    FixElkern.com
    FixKlez.com
    FreakOut.exe
    Free_Love_Screensavers.scr
    Hacker.scr
    Hacker_The_LoveStory.scr
    Hardcore4Free.scr
    I_Love_You.scr
    Jenna_Jemson.scr
    King_of_Figthers.exe
    KOF.exe
    KOF_Demo.exe
    KOF_Fighting.exe
    Found Here on McAfee AV site

    Also A news artical on a similar theme here

    do a quick Google and check my results.. certainly even when what you see is familuar.. check anyway.. I got caught on a varient of "Lovgate"..


    Cheers

    BTW: I would be a royal ***** and not thank you for posting the heads up.. This sort of reminder is needed.. we can "forget" about these social enginering tricks.. personaly 95% of the traffic from McAfee that my Mail server recieves is bloody SPAM.. and the other 5% is warnings sent to me via McAfee by friends.. Check here .. or ledgitamate Warnings from McAfee..........unfortunatly 100% is binned at the Server B4 it reaches my Inbox..


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •