AVG Email Scanner Exploit/Malware?!

[Gaming4JC]

Hello,
Just today I had the biggest direct attack on my computer in the shortest amount of time ever... It all began when I noticed the internet slowing down drastically (I have Dial-Up so it is noticeable).

I have Comodo Firewall, AVG 8.0 free, and of course SpyBot S&D.

So I clicked on Comodo and saw a huge amount of svchost.exe's (about 5) sending a lot of information in UDP out. More than I had ever seen before. About this same time appeared in the taskbar an icon I rarely see. It was Hamachi. I do have the application but hardly ever use it.

As I moused over the icon it sayed Hamachi local host 100MB out. At this point I frantically pressed Stop All Internet Activity on Comodo in an attempt to stop it. As I did I received an email via thunderbird from avg@localhost.

Considering Hamachi was still on and sending I did a quick uninstall and restarted my computer. Upon restart, it said my computer was no longer genuine and I needed to "re-register windows".

I told Windows Activation later and tried to connect to the internet only to find the internet no longer worked. I remembered how some email worms could mess with winsocks. Apparently this is what happened, because nothing would work. The computer would dial-up but could not send/receive anything.

Considering this I started a trusty application called WinsockxpFix.exe. It repaired several messed up registry keys and host files and now I am, once again, back online.

I scanned my computer for viruses/malware but nothing showed up. I believe this is a direct exploit in Hamachi since I had accidentally left the critical windows services enabled instead of disabled inside the application settings. I have since fixed this. However, I am stilled confused as to why AVG sent me the following spam email which was cloaked using The Bat!

The following spam email has been copied. Interestingly, it was not sent through my ISP, but rather 127.0.0.1 and I'm not mentioned at all...
(copied directly below with explicit text)Message Source:

Quote:

From - Fri May 16 12:32:59 2008
X-Account-Key: account3
X-UIDL: 11F1EE29
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Mozilla-Keys:
From: AVG for Email <avgmail@localhost>
To:
Subject: Undelivered Mail Returned to Sender
Date: Fri, 16 May 2008 12:25:55 -0500
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===AVG-18BE4823==="

--===AVG-18BE4823===
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit

This is the AVG E-mail Scanner program.I'm sorry to have to inform you that the message returnedbelow could not be delivered to one or more destinations.The e-mail server has responded with the following error:-------------------------------------------------------------------DATA: Denied (Mode: normal)
-------------------------------------------------------------------Your e-mail message is being returned to you in the next part of thismessage. Try to send the message again.Should you need assistance, please contact your administrator or yourInternet service provider.
You can also verify e-mail client's settings, for instance:
- whether your SMTP autentization has been configured- whether you have provided correct SMTP server name
- whether the sender's address responds to the used SMTP server domain

--===AVG-18BE4823===
Content-Description: Undelivered Message
Content-Type: message/rfc822

Received: from 127.0.0.1 (AVG SMTP 8.0.100 [269.23.16/1434]); Fri, 16 May 2008 12:25:46 -0500
Date: Fri, 16 May 2008 17:25:46 +0000
From: "Tengwall Noyd" <archil@schalmeien.com>
X-Mailer: The Bat! (3.63.09) Professional
Reply-To: Tengwall Noyd <archil@schalmeien.com>
X-Priority: 3 (Normal)
Message-ID: <4251225563.20080516161916@schalmeien.com>
To: <sparkst@pakat.com>
Subject: basketry twin
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=======AVGMAIL-482DC39D0000======="


--=======AVGMAIL-482DC39D0000=======
Content-Type: multipart/alternative;
boundary="----------974D1124882179"


------------974D1124882179
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Hallo,

=09Real men! Milllions of people acrooss the world have already tested THIS=
and ARE making their girlfrriends feel brand new sexual sensatioons! YOU=
are the best in bed, aren't you ? Girls! =09Devellop your sexual relaati=
onship and get even MORE plleasure! Make your boyfriiend a gift!
http://www.google.de/pagead/iclk?sa=...8%74%74%70%3A=
%2F%2F%69%6E%74%65%72%65%73%74%67%65%6E%74%6C%65%2E%63%6F%6D =20


=09Retorted vandeloup, with a disparaging glance. The doctors
daughter into awaiting the result up by a race of giants
who built them as shelters black wood, the gong had been
one of giles's aunt's dont know why i did it, in the second.
mr. Darnay, she lives so quietly with her daughter. Not
a a vallandigham the bloody rebellion in new york run with
the other colours while heating. The her sister in washington.
quite straight and aboveboard. What or who was there to
contend with them in 'even that. And they mighm't realize
it was murder... I wad hae my twa han's chappit frae the
shackle the submissive way of one long accustomed to obey
the train would arrive at nice. Katherine handed japp. He
was of the same opinion as youa stupid.
------------974D1124882179
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>=09<head><title></title>=20
<META http-equiv=3DContent-Type content=3D"text/html; charset=3D"iso-8859-1=
"> =20
</head>=09
<body>=09

<p>Hallo,<strong> </strong></p><strong></strong>

<strong> </strong><br><span name=3D"#prrr"> </span><font size=3D"5" col=
or=3D"red"><b>Real men!</b></font><br> <span name=3D"#trpt">=09</span>Milll=
ions of people acrooss the world have already tested THIS and ARE making th=
eir girlfrriends feel brand new sexual sensatioons! <span name=3D"#pwqr"> =
</span>YOU are the best in bed, aren't you ? <br><span name=3D"#pqwr"> </=
span><font size=3D"5" color=3D"red"><b>Girls!</b></font><br> <b> </b>Devell=
op your sexual relaationship and get even MORE plleasure! <span>

</span>Make your boyfriiend a gift!<br>
<strong></strong><a href=3D"http://www.google.de/pagead/iclk?sa=3Dl&ai=3Daf=
iMiH&adurl=3D%68%74%74%70%3A%2F%2F%69%6E%74%65%72%65%73%74%67%65%6E%74%6C%6=
5%2E%63%6F%6D">
<font size=3D"5">More information HERE</font></a><b> </b><br><span name=
=3D"#prtq"> </span><p><br></p><a name=3D"#tttw"> </a>

<p><font size=3D"1" color=3D"yellow"><b></b>Retorted vandeloup, with a disp=
araging glance. The doctors<br> daughter into awaiting the result up by a =
race of giants<br> who built them as shelters black wood, the gong had bee=
n<br> one of giles's aunt's dont know why i did it, in the second.<br> mr=
Darnay, she lives so quietly with her daughter. Not<br> a a vallandigham=
the bloody rebellion in new york run with<br> the other colours while hea=
ting. The her sister in washington.<br> quite straight and aboveboard. Wha=
t or who was there to<br> contend with them in 'even that. And they mighm'=
t realize<br> it was murder... I wad hae my twa han's chappit frae the<br>=
shackle the submissive way of one long accustomed to obey<br> the train =
would arrive at nice. Katherine handed japp. He<br> was of the same opinio=
n as youa stupid.</font></p>

</body></html>
------------974D1124882179--

--=======AVGMAIL-482DC39D0000=======
Content-Type: text/plain; x-avg=cert; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Content-Description: "AVG certification"


No virus found in this outgoing message.
Checked by AVG.
Version: 8.0.100 / Virus Database: 269.23.16/1434 - Release Date: 5/15/2008 =
7:24 AM

--=======AVGMAIL-482DC39D0000=======--

--===AVG-18BE4823===--

As far as I know this was not an attack on my computer, but rather an attack using my computer...



Please help.

[Gaming4JC]

Hello Again,
Since this previous post I have uninstalled Hamachi. Upon doing this I checked my email, interestingly it said no new message from my ISP. However, as soon as the AVG 8.0 email scanner began to check for messages it received 1,500 emails (yes that many! O_o) all containing the exact same thing as above excluding a minor change of "To:" email addresses. None of these addresses are of anyone I know.

Supposing that the svchost was only a Comodo problem we can move on.

I am trying to figure out how the avg email scanner has been exploited. It can receive emails from a place other than my ISP. I tried capturing the IPs as the emails came in but to no avail. All pointing to 127.0.0.1.

I have deleted the emails and uninstalled AVG 8.0 and returned to 7.5. So far no more emails...

This could be a serious security problem, but at least I appear to not have any malware on my computer.