Email Virus

Hi All,

I need to tell you about an email I received in two different accounts from two “different” senders. The first came from customercare@bestbuy.com and the second came from customercare@amazon.com. The subject line is:

Confirmation for Order Z3566043

The body of the email starts off:

Dear Customer,

Thank you for shopping at our shop !
This e-mail is to inform you that your order has been shipped out.
The following information is for your reference (see details in the attachment):

  • Order No.: Z3566043
  • Order Date: 08/13/2006

SUBTOTAL : $1,769.99
SALESTAX : $0.00
SHIPPING : $16.81
TOTAL : $1,786.80

  • Ship Via: FDX Overnight Delivery

[Ship Date :] 08/14/2006 [Tracking No:] 708745655472
Please note that if your order includes more than one package, the
packages may not be delivered at the same time due to the shipping carrier’s
schedule and the delivery method, and this is out of our control.
In addition, backordered items will be shipped separately.
You may check the status of your package’s progress at our website.
Simply click on “Customer Service”, then log into the “Member Center”.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Attached to this email is a file called:

Z3566043.zip

Both emails had identical subject lines and email body.

I looked at this file through WinZip and saw that it was called Z3566043.exe. I knew better but was panicked that someone had stolen one of my credit cards and bought almost $2000 worth of stuff from Best Buy. As expected, clicking on the .exe opened and then quickly closed a window. Now, Outlook Express will not open (I get a blank Program Error Dialog Box when opening Outlook Express) and certain websites will not load (like this forum…I’m using another computer to write this).

A through Avast scan detected the following items:

Win32:Agent-AJN [Trj] installed in C:\WINNT\System32

and

Win32:Haxdoor-EM [Trj] installed in C:\Documents and Settings\All Users\Documents\Dr Watson

I’m running Windows 2000 Professional and, generally, have a clean system. Moving those two items to chest did not resolve my difficulties. I still have the .zip file if that would help you find the fix. Obviously, there are more components to this virus.

I should have known better than to try and open it. I understand somebody has to get these things before you can develop a fix. Malicious or fatal, I’ll have to deal with the consequences. Any help is needed and welcomed.

Update:

I tried to install Ewido but the installation was blocked and the empty Program Error dialog box reappeared. So, I went a-hunting. I deleted all the Temp files, removed some entries with HiJack This and it seems the problems have disappeared. I was able to install Ewido which found a two problem files, APInstall_Tiny.dll and Z3566043[2].zip.

I’m still not confident that this combined threat has been removed. I sure would like to hand this .zip file to a professional to examine.

:slight_smile: Hi GS :

 Even though you removed some entries by using HJT, I 
 would encourage you to ask the Experts on the forums
 of your antiSPYWARE Provider for further help; if you know
 of none, I recommend the Ad-Aware oriented forums at
 www.landzdown.com .

  Have you used a rootkit detection program like
  RootkitRevealer ?

Having been a Norton user for nearly fifteen years, I switched to Avast about two years ago. I also use Ad-Aware and Spybot on a regular basis (bi-weekly). This three-fold method has kept me relatively clean. HJT is not protection by any means.

After opening the attachment, Ad-Aware did not detect anything…ditto with Spybot. Avast found the two items mentioned above. Since Ewido (which I learned of on these forums) was blocked from installing, I’m assuming other programs would also be blocked. So far, nobody I email with has made mention of any strange emails from me.

Knowing that this malware was contained in the zip file, I thought the folks at Avast would have an interest in examining the file to find a fix. I’ll take a peek at the other forums. No, I have not used a rootkit detection tool.

What are you referring to? ???

http://www.ewido.net/en/

GSBunny, you’ve said ‘blocked for installation’… why? Ewido is compatible with avast… http://www.ewido.net/en/compatibility/
I’m not following you…

Oh, it was not a compatability issue. Whatever malicious code is in that zip file blocks the installation of the program. Upon downloading the install file (actually, I had it lying around on an external hard drive with other tools I have used) and double clicking to install, I got as far as accepting the EULA (End User Licensing Agreement) and when I clicked next, the installation halts and a Program Error box opens. It has a button to click but this dialog box is devoid of any text and the button has no text. The title bar of the box only says “Program Error”. The installation is halted and closed by this error.

It wasn’t a bad download. Upon removing the files mentioned in my earlier posts, the same download installed just fine.

:slight_smile: Hi GS :

What VERSION of Ewido ? The latest 4.0 ? Or an earlier
version, like 3.5, etc ?

I had both 3.5 and 4.0.