Spam? Virus? or what?

[StuW]

Some time ago I received several e-mail postings from the Guest Register on my http://www.spwwebwork.com website. It had a garbled message and the data looked like this:

beverlyhillssmal@aol.com
Subject: r4WSYaKH(567616A8,Subject)2QEG TwJpKnffpjZh3YV 71r0bqYJvyJNPs
and then a garbled message much the same as the subject line.

I never opened the messages and thought I had just encountered some type of virus. I deleted all and then ran SpyBot, AdAware and my McAfee virus scan. There didn't seem to be any bad after affects from this.

Today, a client of mine that also has a Guest Book page received the same message. Actually the Subject line may have been different but the source was from beverlyhillssmal@aol.com.

I hope some one in this forum can shed some light on this weird experience. I would appreciate anything you can do to help me in this matter. Of course when I saw AOL.com in the from line, I should have known something was wrong.

[mikmik]

How long was the message, Stu?

If you are using Outlook Expree, and you have a suspicious, or unfamiliar from address in an e-mail, this is what you can do.

Of course, you must never have the preview pane open when you go to an inbox, for there are scripts that will run just from that.
It does not matter ifr the messeage is not downloaded from the server, because if you se it like that, it is, and it runs.

These same sorts of things can be done with Outlook, usually by clicking the 'File' and then 'View source' in the toolbar.

Okay, in outlook express, I never open an email if I don't specifically expect it or is from someone I know doesn't have a virus on there machine. That means I talked t5o them that day.


1 - Highlight the suspect message in the 'inbox' pane, one click, don't open it.

2 - right click the 'envelope' or from column, pick "Properties" from the context menu.

3 - Select the "Details" tab.

4 - At the bottom right of this window, open it with Message source (Click on it lol)

This is like viewing the source of a web page, and any script will not run. You will see all the html formatting, the headers, everything like a web page but also the scource address, unless of course it is spoofed, but you quickly learn to spot the difference.
You can actually read the whole message with impunity this way, however...

If the body text is a solid block of text, no words or spaces, then that is the virus code rendered in utf - 8, or iso 98856, or whatever, :o)
There are many characters that are wird ascii renditions of machine (compiled) code like VB or delphi or others , C languages a lot.

So, Stu, that is whu I ask you about this first, it is crucial to be careful these days, 30 - 60% of computer users are transmitting Viruses or spam from their computers without knowing it.

AS LONG AS YOU HAVEN'T OPENED THE ATTATCHMENT IN THESE CASES, YOU WILL NOT GET INFECTED.

nOW, IF YOU SAW THE MESSAGE IN THE PREVIEW PANE, OR EVEN SAW IT, UNLESS IT WAS AS TEXT ONLY, EVEN THEN i AM NOT SURE, BUT MANY SPAM ARE DISGUISED WITH BOGUS TEXT AND CHARACTERS LIKE YOU DESCRIBE, AND THE REAL GIST OH THE MESSAGE CAN BE DISCERNED BY DIFFERENT COLORED TEXT ETC.

If there was a browser hijacker, it is embedded in the <head> tags, and runs before the body loads, like any good javascript or VBS should, or else uses the onLoad event in the body tags.
This is where, to my knowledge, the instructions come to reset your Internet browser to go to web pages next time it has run, and pick up the malware, spyware etc, and also adds suspicious x-rated and gambling shortcuts to your favourites folder.

If all was normal, when you next used IE to view webpages, then you are most likely completely safe with what you report.

However, I seem to be one of the first people to have a new threat to deal with, it is a bit streaming program that hijacks my internal (Windows) network configurations, and is so well disguised, that it is impossible to tell that anything is going on .

Wen has a thread here, I have to go, but you can also checkout spyware information sites, one I recommend is Spywaregaurd(.com) and pc911.

Add more info, and we can go over it if you want, I hate this stuff with aq passion.

But I like helping people, with equal vigor :o)

[StuW]

mik,

Bless you. Thanks for all the info. I am going to print it out and study it a little.

In the meantime, I may have answered my own question. I did a search in Google on 'beverlyhillssmal' and came up with a slew of listings. I went to one of the sites randomly and came up with this: (*note: in an effort to be brief, I deleted about nine more of the same listings. Notice that after the first, some are different.)

Somerville-T.com Guest Book

Name: beverlyhillssmal@aol.com To: beverlyhillssmal@aol.com From: beverlyhillssmal@aol.com Subject: T(30C3AEBF,guest_name)gdfT1Yru 6w .
Email: beverlyhillssmal@aol.com To: beverlyhillssmal@aol.com From: beverlyhillssmal@aol.com Subject: yzRlV(30C3AEBF,guest_email)nF1U WAWNpS3xFn5IUxT6AgOhZkv77stM6zgwzbYB0ZNZsUKAAHjBZe rVivZz6RK7tF1RsDF .
Where are
you from: beverlyhillssmal@aol.com To: beverlyhillssmal@aol.com From: beverlyhillssmal@aol.com Subject: c xGrX5W(30C3AEBF,guest_address)9 oP .
Comments: body
April 29, 2004 06:04:33 (GMT Time)


--------------------------------------------------------------------------------

Name: sohardtopicksn@aol.com To: sohardtopicksn@aol.com From: sohardtopicksn@aol.com Subject: FLr(30C3AEBF,guest_name)wi XGdjU2g0iTbq2gUTT7Q5qBygj .
Email: sohardtopicksn@aol.com To: sohardtopicksn@aol.com From: sohardtopicksn@aol.com Subject: d(30C3AEBF,guest_email)afbP6nhWR 4X49R0GFVT .
Where are
you from: sohardtopicksn@aol.com To: sohardtopicksn@aol.com From: sohardtopicksn@aol.com Subject: bpNa(30C3AEBF,guest_address)c9Ovrfqr JcfKbUQieOAL2 F55ad8BX 1b5tR0lrP .
Comments: body
April 27, 2004 19:29:54 (GMT Time)


--------------------------------------------------------------------------------

Name: beverlyhillssmal@aol.com To: beverlyhillssmal@aol.com From: beverlyhillssmal@aol.com Subject: cpDxq(30C3AEBF,guest_name) kSjEChrbxzozG4sVh4QTWwkuW8Dc34AfDx4Qt5Ap86IVICIEOu 9mB8UaLYtLo8ZO8ychh SQHXPElmVeHS9r0 .
Email: beverlyhillssmal@aol.com To: beverlyhillssmal@aol.com From: beverlyhillssmal@aol.com Subject: r3Uo(30C3AEBF,guest_email)grxc4qc 19XiLrFWzpqLi9nKVj51A37TlDonn6TTnh .
Where are
you from: beverlyhillssmal@aol.com To: beverlyhillssmal@aol.com From: beverlyhillssmal@aol.com Subject: 4b(30C3AEBF,guest_address) o j16zhi3 b1wruD2PGkQjvTKx5LIxJn0Tmb7Kk9Ds uLbC mdJD14EmSpKKwaO8xOTw1IUzN IVQ9aSfD1p .
Comments: body
April 21, 2004 22:01:32 (GMT Time)


--------------------------------------------------------------------------------

Name: beverlyhillssmal@aol.com To: beverlyhillssmal@aol.com From: beverlyhillssmal@aol.com Subject: f YG(30C3AEBF,guest_name)abj0jxn4 UPIX1tjwP3WBdnVJy7NsSLJWD87eRfLj5PiiAGLmz3uzVUwf7Z Ym1kVAwvVInJzpRX .
Email: beverlyhillssmal@aol.com To: beverlyhillssmal@aol.com From: beverlyhillssmal@aol.com Subject: oBh(30C3AEBF,guest_email)4I VR9mLVWr78lQMspBGqFTd .
Where are
you from: beverlyhillssmal@aol.com To: beverlyhillssmal@aol.com From: beverlyhillssmal@aol.com Subject: fk5(30C3AEBF,guest_address)M hlDn6 XtoBh .
Comments: body
April 21, 2004 22:01:22 (GMT Time)


--------------------------------------------------------------------------------

Name: beverlyhillssmal@aol.com To: beverlyhillssmal@aol.com From: beverlyhillssmal@aol.com Subject: mQKFeOk(30C3AEBF,guest_name)CecDyRx e65eAdu3LwqDu1FlCefUpLUi6 .
Email: beverlyhillssmal@aol.com To: beverlyhillssmal@aol.com From: beverlyhillssmal@aol.com Subject: pBl (30C3AEBF,guest_email)OLr 4RKsl OCzMqpeQJ210PFXjtSBT4i6KRp7ANrJV9HV2 .
Where are
you from: beverlyhillssmal@aol.com To: beverlyhillssmal@aol.com From: beverlyhillssmal@aol.com Subject: EEJ(30C3AEBF,guest_address)X3fJ YZ8sVDZKjbhVhwhoLczEzB TN0HWp5Ls1gw4EQlthc .
Comments: body
April 21, 2004 22:01:17 (GMT Time)


--------------------------------------------------------------------------------

Name: angelrrsmr@aol.com To: angelrrsmr@aol.com From: angelrrsmr@aol.com Subject: HR(30C3AEBF,guest_name)zK4j gqd2WCRWrcD .
Email: angelrrsmr@aol.com To: angelrrsmr@aol.com From: angelrrsmr@aol.com Subject: 54VfrKye(30C3AEBF,guest_email)UnVq fwHL 1hjTXX j3JFgiTqH85H .
Where are
you from: angelrrsmr@aol.com To: angelrrsmr@aol.com From: angelrrsmr@aol.com Subject: szKA(30C3AEBF,guest_address)QIvnnI BaHHaCy pXZPHSGKbH69ihlx1EN .
Comments: body
April 10, 2004 20:33:22 (GMT Time)


--------------------------------------------------------------------------------

Name: workisgood@aol.com To: workisgood@aol.com From: workisgood@aol.com Subject: WT7(30C3AEBF,guest_name)xeN BJ egK9RhM .
Email: workisgood@aol.com To: workisgood@aol.com From: workisgood@aol.com Subject: T0hCsXE(30C3AEBF,guest_email)UMkx4ku zRW .
Where are
you from: workisgood@aol.com To: workisgood@aol.com From: workisgood@aol.com Subject: KV6(30C3AEBF,guest_address) PxUvDXu jM33t6lwHDXjqcHsvXdGrriXeifvuR9mGDjNf5OrEXd23QG2Ys lOGYCMqs2l6psa6 rJ mBlsJm8O .
Comments: body
April 2, 2004 07:36:37 (GMT Time)


There was another site relating to military radios that had a slew of entries from beverlyhillssmal. Others also from Germany.

I wish I knew what the purpose of this is. It looks like someone wrote a script that automatically fills out Guest Book Registers and in the process, scrambles everything. There doesn't seem to be any malicious intent, although maybe I have my head up my uknowwhat and it's just wishful thinking on my part.

Thanks again for all your input, mik. Your a real friend to go the the lengths you did to supply me an answer. I hope I will be able to repay in kind someday.

Know also, your friend is in my prayers always.

[StuW]

Quote:

Originally Posted by mikmik

1 - Highlight the suspect message in the 'inbox' pane, one click, don't open it.

2 - right click the 'envelope' or from column, pick "Properties" from the context menu.

3 - Select the "Details" tab.

4 - At the bottom right of this window, open it with Message source (Click on it lol)

I took your advice and opened up one of the last messages that I received. Of course this message did not come as a direct e-mail, but as a response to a 'form' and forwarded to me by my Internet Host. Here is the message:

X-Message-Info: JGTYoYF78jHFTzuicf5ePpeIBQfuZ01c
Received: from host109.ipowerweb.com ([12.129.237.94]) by mc6-f22.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713);
Sun, 16 May 2004 03:25:22 -0700
Received: (qmail 75040 invoked by uid 2144); 16 May 2004 10:29:09 -0000
Delivered-To: spwwebwo-mail@spwwebwork.com
Received: (qmail 75033 invoked by uid 2144); 16 May 2004 10:29:09 -0000
Date: 16 May 2004 10:29:09 -0000
Message-ID: <20040516102909.75032.qmail@host109.ipowerweb.co m>
From: anonymous@host109.ipowerweb.com
To: mail@spwwebwork.com
Content-Transfer-Encoding: 8bit
Content-Type: Text/plain; charset=windows-1252
Subject: Data posted to form 1 of http://spwwebwork.com/Guest-Register...rk-Friends.htm
MIME-Version: 1.0
Return-Path: anonymous@host109.ipowerweb.com
X-OriginalArrivalTime: 16 May 2004 10:25:22.0214 (UTC) FILETIME=[181B7C60:01C43B30]

************************************************** *****************************
Name: sohardtopicksn@aol.com
To: sohardtopicksn@aol.com
From: sohardtopicksn@aol.com
Subject: 7o1My(B8BB1176,Name)mm

0Baoi20 0h 3a9EUvHOfWxVsYgTYDh1cWL8StR

.


Address: sohardtopicksn@aol.com
To: sohardtopicksn@aol.com
From: sohardtopicksn@aol.com
Subject: 0SzG3JHn(B8BB1176,Address)

08T1HHAIH5EDTwS

.


City: sohardtopicksn@aol.com
To: sohardtopicksn@aol.com
From: sohardtopicksn@aol.com
Subject: DNCYl7(B8BB1176,City)FfnP ItEM

sQZaNuL4epu0cpD eFViR9VUlEr7SiIDe3LTHrdQREQAXhbNFguCRbQLlo2c04kX

.


State:
Zip: sohardtopicksn@aol.com
To: sohardtopicksn@aol.com
From: sohardtopicksn@aol.com
Subject: r4RjuQ(B8BB1176,Zip)

20b

.


Phone: sohardtopicksn@aol.com
To: sohardtopicksn@aol.com
From: sohardtopicksn@aol.com
Subject%ZŒÀZ²ZÆZÉZÌËZ¬z_LÑZLÔZ¡_ÌÙZL£_ŒßZŒâZLåZ¬*_ÌêZÌíZ,ä_Œ[L[ [ºZŒ[Œ[L[Œ¼ZÌ[Ì[Œ[¿Z%[Ì
Email:
WebsiteInterest:
FoundUsBy:
Submit:


The words before the semi colons are the field names. Such as, Name, Address, City, State, Zip, Phone, Email, Website Interest, Found Us By, and Submit.

Hope this info helps.

[mikmik]

Hi, stu, This is all interesting, and I will check some things out. sorry I have been not as attentive today, just so you know.
Lots of posts and offers to help get abandoned, I have done it( ;]), but not here.
Just installed Linux again, have to get up to speed, but I am around here shortly.

We have met the enemy, and he is us (fellow computer users, the hackers, crackers, and spammers. They prey on the very people that make their activities possible. My, my...)

[mikmik]

Hi, Stu.
I think that if you can check your log files for and IP's of visitors that correspond to the 'submitions' you are getting, it may be a start, but pretty much it is easy to spoof all that info or block it completely.
I can only suggest that we put a special tracking log on that page, and see if it comes up with anything relevant.
The best bet would be to install a validation script that prevents duplicate submitions. I am sure we could find one easily, if you are interested.

I also found this link to an anti-spam resource page, some of the links are dead, but there is some very helpful pointers and links here as well:

http://www.rahul.net/falk/index.html#howtos

Let me know how it goes :o)

[StuW]

mik,

thanks for all your help. It's been a couple of weeks now and I haven't had a recurrence of the problem. I think they've quit. At any rate, I don't think I am going to spend any more time on this. thanks again,

Stu

[mikmik]

Hi, StuW, I am glad the problem is over with.

Thanks for letting me know :o)

Any time you need help, feel free to email me or anything, I am happy to work with you.

That goes for everyone! :o)