'Mail server report' subject of e-mail with .exe attachment.

I received an e-mail, coming from “secur @ areainc.com”. The e-mail contained the following text:


Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service


There was also a .zip attachment (Update-KB3937-x86.zip), containing an .exe file with the same name.

Avast did not report any danger when I scanned the file. But I went to check whether there was any information about this e-mail on the net and came upon quite a few reports in different forums. The earliest reports I saw were around the beginning of this September - so, it could be a new threat. Looks like it’s a worm which, if you install the .exe file, causes your system to become unstable and asks for system restore, etc.

I did not find a way on the Avast website to report this, as there is only an option to report an infection if it has already happened to your computer. But no option to report a virus which Avast failed to recognize as such, but which you have not let infect your machine.

So, if you see the above described e-mail in your inbox, do not open the .exe file.

Does anybody know how we can let the Avast team know about this issue, if they still don’t, so that they can create protection against it and post an update? I will keep the file and I could send it, if needed for analysis.

Cheers.

Hej desislava,

Remove the clickable link in your posting or put in some XX. At the moment it cannot be reached, but we do not like people to be invited to click a possibly dangerous link.

polonus

There was also a .zip attachment (Update-KB3937-x86.zip), containing an .exe file with the same name.

What ever you do don’t open that attachment, this sounds and looks like a social engineering attempt to infect your system and far from getting an update you will get an infection.

If you still have the email, don’t open the attachment but save it to your HDD, it should be OK provided you don’t execute it. Once in your HDD you could see if any other scanners detect it. Once you have done that delete the email and then clean your deleted emails folder.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.

If any AVs (more than one) detect this as malware then add it to the avast chest (User Files section), this will keep it out of harms way, now right click on the file and select email to Alwil Software and follow the prompts. Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

This is the result from scanning the file with VirusTotal:

AntiVir 7.2.0.18/20060925 found [Worm/Stration.C]
Authentium 4.93.8/20060925 found [W32/Warezov.gen!W32DL]
Avast 4.7.844.0/20060925 found nothing
AVG 386/20060925 found [I-Worm/Stration]
BitDefender 7.2/20060926 found [DeepScan:Generic.Stration.90CF9311]
CAT-QuickHeal 8.00/20060925 found [(Suspicious) - DNAScan]
ClamAV devel-20060426/20060925 found nothing
DrWeb 4.33/20060926 found [Win32.HLLM.Limar.based]
eTrust-InoculateIT 23.73.4/20060924 found [Win32/Stration.Variant!Worm]
eTrust-Vet 30.3.3100/20060925 found [Win32/Stration.BK]
Ewido 4.0/20060925 found nothing
F-Prot 3.16f/20060925 found [W32/Warezov.gen!W32DL]
F-Prot4 4.2.1.29/20060925 found [W32/Warezov.gen!W32DL]
Fortinet 2.82.0.0/20060925 found [W32/Stration.AT@mm]
Ikarus 0.2.65.0/20060925 found nothing
Kaspersky 4.0.2.24/20060926 found [Email-Worm.Win32.Warezov.at]
McAfee 4859/20060925 found [New Malware.n]
Microsoft 1.1560/20060925 found nothing
NOD32v2 1.1774/20060925 found [a variant of Win32/Stration]
Norman 5.80.02/20060925 found nothing
Panda 9.0.0.4/20060925 found [Suspicious file]
Sophos 4.10.0/20060925 found [W32/Stratio-AN]
Symantec 8.0/20060926 found nothing
TheHacker 6.0.1.079/20060925 found nothing
UNA 1.83/20060925 found nothing
VBA32 3.11.1/20060925 found nothing
VirusBuster 4.3.7:9/20060925 found [Trojan.Opnis.Gen!Pac2]

So, to me it looks like it is definitely a worm.

People from other forums report they have received exactly the same e-mail, but coming from different e-mail addresses, often with their domain names after the @.

Certainly looks that way if you can send the sample to avast.

If you are not getting a virus warning that you believe is an undetected virus, then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest (after adding it to the User Files section of the chest).

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be an undetected virus and include the password in the body of the email…

I just did that (sent from Chest), hope it gets there.

Thanks for the advice!

Cheers!

Hi desislava,

Seems the same worm as was described in here:
http://forum.avast.com/index.php?topic=23769.0

pozdravi,

polonus

It should get there OK as an encrypted attachment is unlikely to be intercepted by an email server’s anti-virus check on route.

Glad I could help, welcome to the forums.