norwegian Premium Member join:2005-02-15 Outback 1 edit |
DHL [noreply@dhl.com]Mmm. DHL email: Return-Path: <vitiatem408@dhl.co.in>
Received: from zim-mta06.web.westnet.com.au (LHLO zim-mta06.web.westnet.com.au) (192.168.39.36) by webmail05.westnet.com.au with LMTP; Wed, 22 Aug 2012 06:25:20 +0800 (WST)
Received: from inbound-mail03.westnet.com.au (inbound-mail03.westnet.com.au [203.10.1.238]) by zim-mta06.web.westnet.com.au (Postfix) with ESMTP id F05DE6042A for <(redacted)@westnet.com.au>; Wed, 22 Aug 2012 06:58:57 +0800 (WST)
X-Ironport-Incoming: 1
Received: from unknown (HELO [201.196.169.98]) ([201.196.169.98]) by inbound-mail03.westnet.com.au with ESMTP; 22 Aug 2012 06:25:59 +0800
X-Spam-Relays-Untrusted: [ip=199.40.206.33 rdns= helo=gateway2e.dhl.com by=cm-mr13 ident=envfrom=intl=0 id=23/77-03268-86BBBFE4 auth= msa=0 ] [ ip=199.40.20.207 rdns=helo=mykulws2393.kul-dc.dhl.com by=gateway2e.dhl.com ident= envfrom=intl=0id= auth= msa=0 ] [ ip=23.252.17.99 rdns=helo=MYKULWS2399.kul-dc.dhl.com by=MYKULWS2395.kul-dc.dhl.com ident=envfrom=intl=0 id=14.1.339.1 auth= msa=0 ]
Received: from mykulws2393.kul-dc.dhl.com ([199.40.20.207]) by gateway2e.dhl.com with ESMTP/TLS/AES128-SHA; Tue, 21 Aug 2012 16:25:26 -0600
Received: from MYKULWS2362.kul-dc.dhl.com (169.254.5.235) by MYKULWS2393.kul-dc.dhl.com (199.40.20.207) with Microsoft SMTP Server (TLS) id 14.1.339.6; Tue, 21 Aug 2012 16:25:26 -0600
From: "DHL" <noreply@dhl.com>
To:
Subject: Message has been disinfected : DHL Express Tracking Notification ID A126I7ZI3F1457
Date: Tue, 21 Aug 2012 16:25:26 -0600
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609
X-Priority: 3
Message-ID: <KWOG7BFBWHBE9795K00QUVXBFU6RJ50UJDM2SVQI5A3756B8R9SYF1V0MQ6PMY@kul-dc.dhl.com>
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0024_01CD8098.BCD82A80"
Also there was an attachment: DHL-Express-Delivery-Notification-Aug2012.exe Detected: Backdoor.Win32.Androm.gh 22/08/2012 7:02:55 PM If anyone wants the email? |
|
1 recommendation |
The email probably originated at ip=201.196.169.98, which is assigned to an ISP in Costa Rica.
This appears to have been an attempt to infect the recipient with some sort of malware.
The headers that have "dhl.com" on them are probably forged, so as to through you off-scent.
The mail server for westnet (which I believe to be your ISP), received the mail from 201.196.169.98. The header indicating this is presumably to be trusted (as your ISP server). Any header before that (lower in the message) cannot be trusted.
It is implausible that the real dhl.com would send mail to you via a Costa Rica system, which is why the headers that say so are probably forged. |
|
norwegian Premium Member join:2005-02-15 Outback |
I realize that, and DHL for me here is not normal either. However someone else might not, especially in a major city with imports/exports using DHL. This malware is only 1 to 3 months old I believe. In fact, while it was detected, none of the md5 or sha256 via google showed 1 page of info at all. There is a few samples of win32.androm about already though, so I thought it worth posting here. Just trying to do my bit. quote: DHL Express Tracking Prealert : Tue, 21 Aug 2012 16:25:26 -0600 ________________________________________ Custom Reference: 427367-5WXXKUUJXEYR Tracking Number: U61IK-1532776954 Pickup Date: Tue, 21 Aug 2012 16:25:26 -0600 Service: GROUND / AIR Pieces: 2 ________________________________________
Tue, 21 Aug 2012 16:25:26 -0600 - Processing complete successfully PLEASE REFER TO ATTACHED FILE ________________________________________
________________________________________ Shipment status may also be obtained from our Internet site in USA under hxxp://track.dhl-usa.com or Globally under hxxp://www.dhl.com/track Please do not reply to this email. This is an automated application used only for sending proactive notifications
Thanks in advance, DHL Express @ 2012
|
|
2 recommendations |
Me too. I was explaining for the benefit of those reading the thread, who don't all have your experience. Thanks. |
|
|
to norwegian
I have got spam from all the carriers, DHL being the latest. I only get it in Yahoo Mail, and I don't know how to forward without opening the crap. It's in the spam folder and I JHD it.
I have 2 other mail services - they get spam, but not delivery stuff so far.
Is there a way to get at the headers or forward without having to open the email? |
|
norwegian Premium Member join:2005-02-15 Outback |
norwegian
Premium Member
2012-Aug-23 10:06 am
This link provided by the forum shows how » www.haltabuse.org/help/h ··· ex.shtmlBut even in the spam folder you will have to open it, all restrictions are in place and opening it should not product any infection from the spam folder if all you do is look at the headers and copy/paste them to track the email. |
|
|
garys_2k Premium Member join:2004-05-07 Farmington, MI |
to carpetshark3
Right, any malware coming along into a web-based email service won't automatically download to your computer. You can open it safely and access the headers as long as you don't download any attachments. |
|
Bamafan2277 Premium Member join:2008-09-20 Jeffersonville, IN |
to norwegian
I've gotten this mail a few times. The big tip off for me is the file is a .exe
If DHL was sending me a reciept etc I would expect a .pdf or .jpg |
|
norwegian Premium Member join:2005-02-15 Outback |
Yep, but still it's in a .zip, and that would file would fool a lot of people, even though you can look into the .zip file and see an .exe without opening in. There was discussion recently about malware, .zip files etc, and if it could work zipped. Still, social engineering would see the untrained who deal with DHL open it to the .exe; after that, who knows. |
|
norwegian 1 edit |
Looks like another. Subject: DHL Online Advisory AWB 6833398695 Return-Path: shrillyw@amazon.com
Received: from zim-mta03.web.westnet.com.au (LHLO
zim-mta03.web.westnet.com.au) (192.168.39.33) by webmail05.westnet.com.au
with LMTP; Mon, 27 Aug 2012 08:40:51 +0800 (WST)
Received: from inbound-mail04.westnet.com.au (unknown [203.10.1.239])
by zim-mta03.web.westnet.com.au (Postfix) with ESMTP id 285AA4D30C
for <norxxxx@westnet.com.au>; Mon, 27 Aug 2012 08:40:58 +0800 (WST)
X-Ironport-Incoming: 1
Received: from unknown (HELO [175.184.248.41]) ([175.184.248.41])
by inbound-mail04.westnet.com.au with ESMTP; 27 Aug 2012 08:41:51 +0800
Received: from [165.72.200.99] (helo=gateway1i.dhl.com)
by anchor-hub.mail.demon.net with esmtp id 1Sgyki-00052E-7Y; Mon, 27 Aug 2012 07:41:16 +0700
Received: from czhs0231.prg-dc.dhl.com ([165.72.7.72])
by gateway1i.dhl.com with ESMTP; Mon, 27 Aug 2012 07:41:16 +0700
Received: (from appsadm@localhost)
by czhs0231.prg-dc.dhl.com (8.9.3 (PHNE_35950)/8.9.3) id OAA17805; Mon, 27 Aug 2012 07:41:16 +0700
Date: Mon, 27 Aug 2012 07:41:16 +0700
Message-Id: <201207050332.UET99857@czhs0231.prg-dc.dhl.com>
From: webadm@dhl.com
To:
X-Priority: 3 (Normal)
Subject: DHL Online Advisory AWB 6833398695
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------ihyqjsi"
DHL_Express-Online_Notification.exe Detected: Backdoor.Win32.Androm.go ------------------------------------------ DHL WORLDWIDE EXPRESS INBOUND SHIPMENT ADVISORY The following 1piece(s) have been sent via DHL Worldwide Express on Mon, 27 Aug 2012 07:41:16 +0700 via AWB# 6447152675 If you wish to track this(these) shipment(s) please contact your local DHL customer service office or visit the DHL Web Site at hxxp://www.dhl.com If you have a Web-enabled mail reader, click the link below to view shipment tracking details: hxxp://www.dhl.com/content/en/express/tracking.shtml?brand=DHL&AWB=4890248029 SHIPMENT CONTENTS: Documents SHIPPER REFERENCE: PLEASE REFER TO ATTACHED FILE ADDITIONAL MESSAGE FROM SHIPPER: PLEASE REFER TO ATTACHED FILE Thank you for requesting DHL Worldwide Express for your delivery needs |
|
norwegian |
|
|
|
Thanks for that VirusTotal report.
Quite a few AV are not picking this one up. |
|