Results 1 to 2 of 2

Thread: AVG Email Scanner Exploit/Malware?!

  1. 2008-05-17, 07:07 #1
    Gaming4JC
    Gaming4JC is offline
    Junior Member
    Join Date
    Dec 2006
    Posts
    27

    Unhappy AVG Email Scanner Exploit/Malware?!

    Hello,
    Just today I had the biggest direct attack on my computer in the shortest amount of time ever... It all began when I noticed the internet slowing down drastically (I have Dial-Up so it is noticeable).

    I have Comodo Firewall, AVG 8.0 free, and of course SpyBot S&D.

    So I clicked on Comodo and saw a huge amount of svchost.exe's (about 5) sending a lot of information in UDP out. More than I had ever seen before. About this same time appeared in the taskbar an icon I rarely see. It was Hamachi. I do have the application but hardly ever use it.

    As I moused over the icon it sayed Hamachi local host 100MB out. At this point I frantically pressed Stop All Internet Activity on Comodo in an attempt to stop it. As I did I received an email via thunderbird from avg@localhost.

    Considering Hamachi was still on and sending I did a quick uninstall and restarted my computer. Upon restart, it said my computer was no longer genuine and I needed to "re-register windows".

    I told Windows Activation later and tried to connect to the internet only to find the internet no longer worked. I remembered how some email worms could mess with winsocks. Apparently this is what happened, because nothing would work. The computer would dial-up but could not send/receive anything.

    Considering this I started a trusty application called WinsockxpFix.exe. It repaired several messed up registry keys and host files and now I am, once again, back online.

    I scanned my computer for viruses/malware but nothing showed up. I believe this is a direct exploit in Hamachi since I had accidentally left the critical windows services enabled instead of disabled inside the application settings. I have since fixed this. However, I am stilled confused as to why AVG sent me the following spam email which was cloaked using The Bat!

    The following spam email has been copied. Interestingly, it was not sent through my ISP, but rather 127.0.0.1 and I'm not mentioned at all...
    (copied directly below with explicit text)Message Source:
    From - Fri May 16 12:32:59 2008
    X-Account-Key: account3
    X-UIDL: 11F1EE29
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 10000000
    X-Mozilla-Keys:
    From: AVG for Email <avgmail@localhost>
    To: archil@schalmeien.com
    Subject: Undelivered Mail Returned to Sender
    Date: Fri, 16 May 2008 12:25:55 -0500
    Mime-Version: 1.0
    Content-Type: multipart/mixed; boundary="===AVG-18BE4823==="

    --===AVG-18BE4823===
    Content-Description: Notification
    Content-Type: text/plain; charset=us-ascii
    Content-Transfer-Encoding: 8bit

    This is the AVG E-mail Scanner program.I'm sorry to have to inform you that the message returnedbelow could not be delivered to one or more destinations.The e-mail server has responded with the following error:-------------------------------------------------------------------DATA: Denied (Mode: normal)
    -------------------------------------------------------------------Your e-mail message is being returned to you in the next part of thismessage. Try to send the message again.Should you need assistance, please contact your administrator or yourInternet service provider.
    You can also verify e-mail client's settings, for instance:
    - whether your SMTP autentization has been configured- whether you have provided correct SMTP server name
    - whether the sender's address responds to the used SMTP server domain

    --===AVG-18BE4823===
    Content-Description: Undelivered Message
    Content-Type: message/rfc822

    Received: from 127.0.0.1 (AVG SMTP 8.0.100 [269.23.16/1434]); Fri, 16 May 2008 12:25:46 -0500
    Date: Fri, 16 May 2008 17:25:46 +0000
    From: "Tengwall Noyd" <archil@schalmeien.com>
    X-Mailer: The Bat! (3.63.09) Professional
    Reply-To: Tengwall Noyd <archil@schalmeien.com>
    X-Priority: 3 (Normal)
    Message-ID: <4251225563.20080516161916@schalmeien.com>
    To: <sparkst@pakat.com>
    Subject: basketry twin
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="=======AVGMAIL-482DC39D0000======="


    --=======AVGMAIL-482DC39D0000=======
    Content-Type: multipart/alternative;
    boundary="----------974D1124882179"


    ------------974D1124882179
    Content-Type: text/plain; charset=iso-8859-1
    Content-Transfer-Encoding: quoted-printable

    Hallo,

    =09Real men! Milllions of people acrooss the world have already tested THIS=
    and ARE making their girlfrriends feel brand new sexual sensatioons! YOU=
    are the best in bed, aren't you ? Girls! =09Devellop your sexual relaati=
    onship and get even MORE plleasure! Make your boyfriiend a gift!
    http://www.google.de/pagead/iclk?sa=...8%74%74%70%3A=
    %2F%2F%69%6E%74%65%72%65%73%74%67%65%6E%74%6C%65%2E%63%6F%6D =20


    =09Retorted vandeloup, with a disparaging glance. The doctors
    daughter into awaiting the result up by a race of giants
    who built them as shelters black wood, the gong had been
    one of giles's aunt's dont know why i did it, in the second.
    mr. Darnay, she lives so quietly with her daughter. Not
    a a vallandigham the bloody rebellion in new york run with
    the other colours while heating. The her sister in washington.
    quite straight and aboveboard. What or who was there to
    contend with them in 'even that. And they mighm't realize
    it was murder... I wad hae my twa han's chappit frae the
    shackle the submissive way of one long accustomed to obey
    the train would arrive at nice. Katherine handed japp. He
    was of the same opinion as youa stupid.
    ------------974D1124882179
    Content-Type: text/html; charset=iso-8859-1
    Content-Transfer-Encoding: quoted-printable

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    <html>=09<head><title></title>=20
    <META http-equiv=3DContent-Type content=3D"text/html; charset=3D"iso-8859-1=
    "> =20
    </head>=09
    <body>=09

    <p>Hallo,<strong> </strong></p><strong></strong>

    <strong> </strong><br><span name=3D"#prrr"> </span><font size=3D"5" col=
    or=3D"red"><b>Real men!</b></font><br> <span name=3D"#trpt">=09</span>Milll=
    ions of people acrooss the world have already tested THIS and ARE making th=
    eir girlfrriends feel brand new sexual sensatioons! <span name=3D"#pwqr"> =
    </span>YOU are the best in bed, aren't you ? <br><span name=3D"#pqwr"> </=
    span><font size=3D"5" color=3D"red"><b>Girls!</b></font><br> <b> </b>Devell=
    op your sexual relaationship and get even MORE plleasure! <span>

    </span>Make your boyfriiend a gift!<br>
    <strong></strong><a href=3D"http://www.google.de/pagead/iclk?sa=3Dl&ai=3Daf=
    iMiH&adurl=3D%68%74%74%70%3A%2F%2F%69%6E%74%65%72%65%73%74%67%65%6E%74%6C%6=
    5%2E%63%6F%6D">
    <font size=3D"5">More information HERE</font></a><b> </b><br><span name=
    =3D"#prtq"> </span><p><br></p><a name=3D"#tttw"> </a>

    <p><font size=3D"1" color=3D"yellow"><b></b>Retorted vandeloup, with a disp=
    araging glance. The doctors<br> daughter into awaiting the result up by a =
    race of giants<br> who built them as shelters black wood, the gong had bee=
    n<br> one of giles's aunt's dont know why i did it, in the second.<br> mr=
    Darnay, she lives so quietly with her daughter. Not<br> a a vallandigham=
    the bloody rebellion in new york run with<br> the other colours while hea=
    ting. The her sister in washington.<br> quite straight and aboveboard. Wha=
    t or who was there to<br> contend with them in 'even that. And they mighm'=
    t realize<br> it was murder... I wad hae my twa han's chappit frae the<br>=
    shackle the submissive way of one long accustomed to obey<br> the train =
    would arrive at nice. Katherine handed japp. He<br> was of the same opinio=
    n as youa stupid.</font></p>

    </body></html>
    ------------974D1124882179--

    --=======AVGMAIL-482DC39D0000=======
    Content-Type: text/plain; x-avg=cert; charset=us-ascii
    Content-Transfer-Encoding: quoted-printable
    Content-Disposition: inline
    Content-Description: "AVG certification"


    No virus found in this outgoing message.
    Checked by AVG.
    Version: 8.0.100 / Virus Database: 269.23.16/1434 - Release Date: 5/15/2008 =
    7:24 AM

    --=======AVGMAIL-482DC39D0000=======--

    --===AVG-18BE4823===--
    As far as I know this was not an attack on my computer, but rather an attack using my computer...



    Please help.
  2. 2008-05-18, 00:36 #2
    Gaming4JC
    Gaming4JC is offline
    Junior Member
    Join Date
    Dec 2006
    Posts
    27

    Arrow Yikes! but fixed for now...

    Hello Again,
    Since this previous post I have uninstalled Hamachi. Upon doing this I checked my email, interestingly it said no new message from my ISP. However, as soon as the AVG 8.0 email scanner began to check for messages it received 1,500 emails (yes that many! O_o) all containing the exact same thing as above excluding a minor change of "To:" email addresses. None of these addresses are of anyone I know.

    Supposing that the svchost was only a Comodo problem we can move on.

    I am trying to figure out how the avg email scanner has been exploited. It can receive emails from a place other than my ISP. I tried capturing the IPs as the emails came in but to no avail. All pointing to 127.0.0.1.

    I have deleted the emails and uninstalled AVG 8.0 and returned to 7.5. So far no more emails...

    This could be a serious security problem, but at least I appear to not have any malware on my computer.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules