MMS photo in a zip from Vodafone - or is it a trojan?
Comments
-
debitcardmayhem wrote: »Registered in HK...
What's registered? There's no domain name and the only thing I can gather from the lookup is that the server on the other end is the responsibility of Wharf T&T Limited.0 -
In the header it says received from 101.78.164.189-TangleFoot- wrote: »What's registered? There's no domain name and the only thing I can gather from the lookup is that the server on the other end is the responsibility of Wharf T&T Limited.🍺 😎 Still grumpy, and No, Cloudflare I am NOT a robot 🤖BUT my responses are now out of my control they are posted via ChatGPT or the latest AI0 -
Well although .exe instantly rings alarm bells and was the reason I wasn't going to click any further without good reason, it isn't that obvious a pointer to a trojan surely, since if if wanted to send you a self extracting zip for legitimate purposes then I'd almost certainly wrap it in a standard zip so that your email filter didn't stop it just because it was an .exe !-TangleFoot- wrote: »Nothing obvious - just the .exe hiding inside a .zip file named 8744Y4G_MMS.
No I wondered if anything in the routing information screamed "spoof"?
Also is the use of the vodafone.com domain (appears several times in the headers) legitimate or spoofed? Did they use Vodafone's system to connect ?0 -
Did you click on the .exe in my post to see where it went?debitcardmayhem wrote: »In the header it says received from 101.78.164.189
It says the same thing for these too:Received: from [212.159.9.108] (helo=avasin18.plus.net) Received: from VFUS-MBX03.vf-us.internal.vodafone.com ([::1]) by VFUS-CAS01.vf-us.internal.vodafone.com ([10.181.10.42]) with mapi; Thu, 17 Jan 2013 10:47:24 +0800
Hmm... [::1] is IPv6 talk for localhost. Could that be relevant?0 -
Yes I appreciate you tracked down this particular one by name of file and apparent email sender to the recent virustotal reports but just wondered about the chances of a normal punter achieving some kind of raw detection from any bits of the header that just don't add up.-TangleFoot- wrote: »Did you click on the .exe in my post to see where it went?
Else are we really just reliant on being ultra careful/other people having found it first so we can Google it when we are alert enough to stop ourselves blundering into a click too far?
I'm not really clued up enough to understand your pointers to possible localhost shenanigans so I'll let you and debitcardmayhem mull that over between you
Thanks for engaging.0 -
I had one yesterday and Kaspersky identified it as a virus and disinfected it, and I set the incoming address to Junk.0
-
2sides2everystory wrote: »Yes I appreciate you tracked down this particular one by name of file and apparent email sender to the recent virustotal reports but just wondered about the chances of a normal punter achieving some kind of raw detection from any bits of the header that just don't add up.
Else are we really just reliant on being ultra careful/other people having found it first so we can Google it when we are alert enough to stop ourselves blundering into a click too far?
I'm not really clued up enough to understand your pointers to possible localhost shenanigans so I'll let you and debitcardmayhem mull that over between you
Thanks for engaging.
As I said earlier, the best way to manage this is NOT to open any attachments that you are not expecting to receive. If you receive an email from someone you know, with an attachment that you didn't expect, check with them before you open it.
If you receive one from an unknown source, then treat it with great suspicion. I had another this morning, inviting me to download a PDF. Obviously, as I don't know the sender, I've deleted the email without opening it (using a preview pane in my email client).
Even professionals get caught out sometimes, which is why they use good anti-virus software, AND keep regular, reliable backups so that if the worst does happen they can restore a clean system.I try not to get too stressed out on the forum. I won't argue, i'll just leave a thread if you don't like what I say.
0 -
2sides2everystory wrote: »Thanks for engaging.
Rule of thumb: reputable sources don't send executable attachments. Especially obfuscated ones.
Also, after checking some of my own emails I'd guess that the [::1] in yours is the forgery - a simple ping reveals the true address of VFUS-MBX03 as [92.242.132.15].
Ergo, it came from somewhere else.0 -
For the brave/foolhardy, you can put the header into
http://www.iptrackeronline.com/email-header-analysis.php
This will give you some of the info contained in the header.
Take care and use at your own risk.
Move along, nothing to see.0 -
Hi ... just an update in case any of you were wondering why my antivirus didn't pick up the trojan in the first place ... I was on webmail last week away from my usual pc. As soon as I downloaded my mails to my usual pc today Kaspersky leapt on to that email, and on two or three more emails also received late last week containing the exact same trojan dropper - I'd not seen the other two or three as they'd gone straight into spam - they were in different wrappers that didn't get through my email providers filters.0
This discussion has been closed.
Categories
- All Categories
- 343.1K Banking & Borrowing
- 250.1K Reduce Debt & Boost Income
- 449.6K Spending & Discounts
- 235.2K Work, Benefits & Business
- 607.8K Mortgages, Homes & Bills
- 173K Life & Family
- 247.8K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards