ptrowski
Got Helix?
Premium
join:2005-03-14
Putnam, CT
clubs:
 ·ViaTalk
 ·AT&T DSL Service
edit:
April 9th, @06:38PM
| Update-Mom was a bit wiser than I thought.....
I just got a call from my mother who did a no-no. She received an IM from ahsanhyd@hotmail.com asking her what did she think about the baby pictures. She thought it was from a friend of hers who became a grandmother.
The file is photo001-03-31-2008.jpg but it is clearly an executable. I tried a good search on the IM name or the file name and nothing came up. She scanned it with Mcaffee I think and it did not detect anything (after the fact).
Has anyone heard of this one?
--
"A religious war is like children fighting over who has the strongest imaginary friend."
Have you been touched by his noodly appendage? »www.venganza.org |
|
skyroket
join:2001-06-11
Colorado, US | Re: Mom was not very wise...
It could probably be anything, renamed for custom use of giving through IM. |
|
onDvine
Don't Litter. Spay or neuter your pets.
Premium
join:2005-01-29
So. CA, USA
| reply to ptrowski
Slightly O/T: I Googled ahsanhyd@hotmail to see if anybody else had mentioned problems from that sender (nobody has). Did find a link to your post, less than an hour old. Damn, that's fast!
--
Nobody can bring you peace but yourself. ▪R.W. Emerson |
|
ptrowski
Got Helix?
Premium
join:2005-03-14
Putnam, CT
clubs: | Same here...although it did look like it was from India. Hardly one of her friends. Ran it though the online scanners, came up suspicious but not tagged.
Time to sweep her system. |
|
onDvine
Don't Litter. Spay or neuter your pets.
Premium
join:2005-01-29
So. CA, USA
| said by ptrowski  :Same here...although it did look like it was from India. Hardly one of her friends. ... Sorry. Somehow missed the part where you said:
... tried a good search on the IM name ... Hopefully next time she'll pay closer attention to the sender name. Good luck with it.  |
|
ptrowski
Got Helix?
Premium
join:2005-03-14
Putnam, CT
clubs:
·ViaTalk
·AT&T DSL Service
| said by onDvine :said by ptrowski :Same here...although it did look like it was from India. Hardly one of her friends. ... Sorry. Somehow missed the part where you said: ... tried a good search on the IM name ... Hopefully next time she'll pay closer attention to the sender name. Good luck with it. Sorry, I did not mean for that to come out snippy. I was more thinking aloud.
So far nothing has popped up. |
|
onDvine
Don't Litter. Spay or neuter your pets.
Premium
join:2005-01-29
So. CA, USA
edit:
April 8th, @08:35PM
| said by ptrowski :... I did not mean for that to come out snippy. ... It didn't at all.
Mostly I was commenting on how fast your post showed up in Google. Had nothing helpful to contribute. |
|
rawwhide
join:2000-09-03
The Moon
clubs:
edit:
April 8th, @09:04PM
| reply to ptrowski
It might just be a bot looking for computers still vulnerable to the 0-day exploit. Not for sure that any are left, but you never know.
--
Tin-Foilers Union of America!!
Tin-Foilers Union Local 101... |
|
EGeezer
Spring is here
Premium
join:2002-08-04
Central Ohio
clubs:
 ·RoadRunner Cable
·AT&T CallVantage
| reply to ptrowski
said by ptrowski :Same here...although it did look like it was from India. Hardly one of her friends. Ran it though the online scanners, came up suspicious but not tagged. Time to sweep her system. A brief look at the headers and message source will tell you where it came from -
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| reply to ptrowski
I'd suggest looking at the file with FileAlyzer to see if you can see what it really is.
Then upload it to Jotti's malware scan to see if it has been seen before and also see if it has anything hidden.
Regards,
Doctor Olds
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
ptrowski
Got Helix?
Premium
join:2005-03-14
Putnam, CT
clubs: | reply to EGeezer
Hi Geezer, it came across an IM. Would there be headers?
Doc, I ran it through Jotti's and it was suspicious but nothing has been seen before. |
|
elnino
join:2006-08-27
Akron, OH | reply to ptrowski
Hopefully it's not part of the new Kraken worm.... |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| reply to ptrowski
said by ptrowski :Doc, I ran it through Jotti's and it was suspicious but nothing has been seen before. What was suspicious? That is very vague. Did the scan result say it was a Windows PE file that was renamed or is it actually a real image file just trying to sell something like narcotic pills, stocks, male enhancement capsules or other type garbage?
You can use FileAlyzer to read the beginning of the file to see what it really is.
A Windows PE file will start with:
MZ
While a .GIF Image File will start with:
Gif89
And a .JPG Image File will start with:
ÿØÿà..JFIF
Regards,
Doctor Olds
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
ptrowski
Got Helix?
Premium
join:2005-03-14
Putnam, CT
clubs: | I used the two scanners listed in the FAQ here. At this point I ran it through the Tuneup Shredder so I don't have it to scan again. |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| said by ptrowski :I used the two scanners listed in the FAQ here. At this point I ran it through the Tuneup Shredder so I don't have it to scan again. OK, no problem. Get setup for the next time.  FileAlyzer is written by the Spybot Search & Destroy guys. Good Stuff in other words.
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
ptrowski
Got Helix?
Premium
join:2005-03-14
Putnam, CT
clubs: | Thanks Doc. I ran it though both of them, and it said that is seem suspicious (noticed it was a zip file, and figured at that point I wouild just shred it. |
|
EGeezer
Spring is here
Premium
join:2002-08-04
Central Ohio
clubs:
·RoadRunner Cable
·AT&T CallVantage
| said by ptrowski :Thanks Doc. I ran it though both of them, and it said that is seem suspicious (noticed it was a zip file, and figured at that point I wouild just shred it. If the file name was photo001-03-31-2008.jpg.zip , then I have no doubt that it was malware. People don't usually zip up pictures to send them. If they did, I'd expect the filename to be photo001-03-31-2008.zip (without the jpg in it).
Also sorry for confusion, I erroneously assumed it was an email, and don't know how to capture the information from an IM.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
ptrowski
Got Helix?
Premium
join:2005-03-14
Putnam, CT
clubs:
·ViaTalk
·AT&T DSL Service
| said by EGeezer :said by ptrowski :Thanks Doc. I ran it though both of them, and it said that is seem suspicious (noticed it was a zip file, and figured at that point I wouild just shred it. If the file name was photo001-03-31-2008.jpg.zip , then I have no doubt that it was malware. People don't usually zip up pictures to send them. If they did, I'd expect the filename to be photo001-03-31-2008.zip (without the jpg in it). Also sorry for confusion, I erroneously assumed it was an email, and don't know how to capture the information from an IM. It depends on how it was viewed. If it was a folder view, it was ZIP. IF it was the file, it showed as an executable. |
|
EGeezer
Spring is here
Premium
join:2002-08-04
Central Ohio
clubs: | So the filename was photo001-03-31-2008.jpg.exe ? If so, malware for sure.. |
|
ptrowski
Got Helix?
Premium
join:2005-03-14
Putnam, CT
clubs:
·ViaTalk
·AT&T DSL Service
| said by EGeezer :So the filename was photo001-03-31-2008.jpg.exe ? If so, malware for sure.. Yep, that's what I thought. But it was interesting that none of the scanners seemed to hit it or log it in. |
|
