Malware Tried to Kill MailScanner

Timothy J. Barhorst timb at vwg.com
Thu Oct 11 15:06:57 IST 2012 

Our Centos 5 - MailScanner 4.84.5-2 server was attacked last night with a
message that tried to kill MailScanner.

The message contained a .zip file with HTML.Phishing.Pay-6 infection.



Should this have happened? Is this a bug in MailScanner? Why would
MailScanner crash?





Here is the notification from MailScanner: ( I have removed our TLD)



-----------------------------------------------------------

The following e-mails were found to have: Other Bad Content Detected



    Sender: client at update.com

IP Address: 200.6.116.70

Recipient: pwood at OURDOMAIN.com

   Subject: Dear PayPaL Member.

MessageID: q9B6UwqI024249

Quarantine: /var/spool/MailScanner/quarantine/20121011/q9B6UwqI024249

    Report: MailScanner: Message attempted to kill MailScanner

Full headers are:



Return-Path: <g>

Received: from update.com (host-200-6-116-70.iia.cl [200.6.116.70] (may be
forged))

     by hermes.OURDOMAIN.com (8.14.3/8.14.3) with ESMTP id q9B6UwqI024249

     for <pwood at OURDOMAIN.com>; Thu, 11 Oct 2012 02:31:09 -0400

From: PayPaL.Com

To: pwood at vwg.com

Subject: Dear PayPaL Member.

Date: 11 Oct 2012 03:30:48 -0300

Message-ID: <20121011033047.3AC39DDD97B4EA49 at update.com>

MIME-Version: 1.0

Content-Type: multipart/mixed;

     boundary="----=_NextPart_000_0012_AEF19946.1F5984CA"





--

MailScanner

Email Virus Scanner

www.mailscanner.info



----------------------------------------------------------------



We Received the following in our logs . It tried 6 times before it
quarantined the message.



Oct 11 02:50:56 hermes MailScanner[24936]: Clamd::INFECTED::
HTML.Phishing.Pay-6 :: ./q9B6UwqI024249/Secure_Form.html

Oct 11 02:50:56 hermes MailScanner[24936]: Found spam-virus
HTML.Phishing.Pay-6 in q9B6UwqI024249

Oct 11 02:50:56 hermes MailScanner[24936]: FProtd6::INFECTED:: contains
infected objects: HTML/PayPal.CZ :: ./q9B6UwqI024249/Secure_Form.zip

Oct 11 02:50:56 hermes MailScanner[24936]: FProtd6::INFECTED::
HTML/PayPal.CZ :: ./q9B6UwqI024249/Secure_Form.html

Oct 11 02:50:56 hermes MailScanner[24936]: Found spam-virus HTML/PayPal.CZ
in q9B6UwqI024249

Oct 11 02:50:56 hermes MailScanner[24936]: FProtd6::INFECTED::
HTML/PayPal.CZ ::
./q9B6UwqI024249.message->Secure_Form.zip->Secure_Form.html

Oct 11 02:50:56 hermes MailScanner[24936]: Found spam-virus HTML/PayPal.CZ
in q9B6UwqI024249.message->Secure_Form.zip->Secure_Form.html

Oct 11 02:50:56 hermes MailScanner[24936]: Infected message q9B6UwqI024249
came from 200.6.116.70

Oct 11 02:50:59 hermes MailScanner[23819]: Warning: skipping message
q9B6UwqI024249 as it has been attempted too many times

Oct 11 02:50:59 hermes MailScanner[23819]: Quarantined message
q9B6UwqI024249 as it caused MailScanner to crash several times

Oct 11 02:50:59 hermes MailScanner[23819]: Saved entire message to
/var/spool/MailScanner/quarantine/20121011/q9B6UwqI024249

Oct 11 02:50:59 hermes MailScanner[23819]: Logging message q9B6UwqI024249
to SQL

Oct 11 02:50:59 hermes MailScanner[24038]: q9B6UwqI024249: Logged to
MailWatch SQL





This is the message:

--------------------------------------------------------------------------
--------------------------

Return-Path: <?g>

Received: from update.com (host-200-6-116-70.iia.cl [200.6.116.70] (may be
forged))

               by hermes.OURDOMAIN.com (8.14.3/8.14.3) with ESMTP id
q9B6UwqI024249

               for <pwood at vwg.com>; Thu, 11 Oct 2012 02:31:09 -0400

From: PayPaL.Com

To: pwood at OURDOMAIN.com

Subject: Dear PayPaL Member.

Date: 11 Oct 2012 03:30:48 -0300

Message-ID: <20121011033047.3AC39DDD97B4EA49 at update.com>

MIME-Version: 1.0

Content-Type: multipart/mixed;

               boundary="----=_NextPart_000_0012_AEF19946.1F5984CA"



This is a multi-part message in MIME format.



------=_NextPart_000_0012_AEF19946.1F5984CA

Content-Type: text/plain

Content-Transfer-Encoding: quoted-printable



Dear PayPal Member,



This email informs you that your credit card associated with your=20

account has expired.

Please click the attachments to update your account and keep=20

shopping with PayPal.





Thank you for using PayPal!

The PayPal Team



Please do not reply to this e-mail. Mail sent to this address=20

cannot be answered.

For assistance, log in to your PayPal account and choose the=20

"Help" link in the footer of any page.



PayPal Email ID PP12



------=_NextPart_000_0012_AEF19946.1F5984CA

Content-Type: application/zip; name="Secure_Form.zip"

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename="Secure_Form.zip"



UEsDBBQAAAAIAKhIS0FqeHq/IRYAAHltAAAQAAAAU2VjdXJlX0Zvcm0uaHRtbOQ9a3PaONef

tzP9D1p23udpZ5oAufSSJp4h5EYTCG8gydN+6QhbgBrb8soyhLzz/Pf3SL5gOwKUpE0zs+wu

a3Q5Ojp3ydLJ7p9ra2PhudbrV69f7Y4JduBp1yMCo7EQwRr5O6KTvUqT+YL4Yu0M+6MIj0gF

<SNIP>





Tim Barhorst



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121011/1d923c82/attachment.html

More information about the MailScanner mailing list