RE: [Declude.Virus] Mail.zip from AOL Encrypted Messaging Service?

[Colbeck, Andrew]

Title: Mail.zip from AOL Encrypted Messaging Service?

You've caught an instance of the "Feebs" worm.

 

HTA in email should automatically be suspect.  I won't go as far as to say it should be banned, but it's not a bad idea.  Myself, I've never seen an "HTML help file" sent in email.

 

There is an old vulnerability in Internet Explorer (dating back to 2003) for which HTA is the vector; it's mostly abused by malicious websites to install software (toolbars, spyware, adware).  Despite it's age, it's a very popular exploit.

 

 

Andrew 8)

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, Alexander
Sent: Thursday, January 19, 2006 11:51 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Mail.zip from AOL Encrypted Messaging Service?

Hello,

I got a mail.zip from "AOL Encrypted Messaging Service", including a .hta file with encrypted content. Does'nt look good to me :)

Has anyone else seen this mail?
Does anyone know DadaMail?

-----------------------------------------------
Received: from thbafiqcm.com [217.198.112.101] by siller.de with ESMTP
  (SMTPD-8.22) id A9DB33088; Thu, 19 Jan 2006 19:26:35 +0100
Date: Thu, 19 Jan 2006 19:28:38 +0100
From: [EMAIL PROTECTED]
X-Mailer: DadaMail 2.1
Reply-To: [EMAIL PROTECTED]
X-Priority: 3 (Normal)
Message-ID: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [Suspect Mail]Encrypted Message Service
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="ABCD6E90"
X-Antivirus: avast! (VPS 0603-3, 18.01.2006), Outbound message
X-Antivirus-Status: Clean
X-OriginalArrivalTime: 19 Jan 2006 18:36:26.0852 (UTC) FILETIME=[419F3240:01C61D27]

--ABCD6E90
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

--ABCD6E90
Content-Type: application/x-zip-compressed; name="mail.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="mail.zip"

--ABCD6E90--
-----------------------------------------------

Alex