Main site > MoneySavingExpert.com Forums > Household & Travel > Techie Stuff > MMS photo in a zip from Vodafone - or is it a tro... (Page 1)

IMPORTANT! This is MoneySavingExpert's open forum - anyone can post

Please exercise caution & report any spam, illegal, offensive, racist, libellous post to forumteam@moneysavingexpert.com

  • Be nice to all MoneySavers
  • All the best tips go in the MoneySavingExpert weekly email

    Plus all the new guides, deals & loopholes

  • No spam/referral links
or Login with Facebook
MMS photo in a zip from Vodafone - or is it a trojan?
Reply
Views: 1,550
Thread Tools Search this Thread Display Modes
# 1
2sides2everystory
Old 17-01-2013, 12:28 PM
PPR
Serious MoneySaving Fan
 
Join Date: Sep 2010
Posts: 1,693
Default MMS photo in a zip from Vodafone - or is it a trojan?

We have to be so careful these days with what arrives in the inbox, even when we know we have a pretty good antivirus (I use Kaspersky). I have already avoided the final step in opening this mail attachment (I was gambling by opening the zip but I did feared to open the EXE of the same name inside).

Can any of you techies tell from the email headers below whether this really was from Vodafone?

Return-path: <foodse@vodafone.com>
Envelope-to: {my email address}
Delivery-date: Thu, 17 Jan 2013 02:47:27 +0000
Received: from [212.159.9.108] (helo=avasin18.plus.net)
by inmx16.plus.net with esmtp (PlusNet MXCore v2.00) id 1TvfVn-0000eX-9l
for {my email address}; Thu, 17 Jan 2013 02:47:27 +0000
Received: from [101.78.164.189] ([101.78.164.189])
by avasin18.plus.net with Plusnet Cloudmark Gateway
id oqnM1k00H45Vuwd01qnQv2; Thu, 17 Jan 2013 02:47:27 +0000
X-IPAS: Level1
X-CM-Score: 100.00
X-CNFS-Analysis: v=2.0 cv=QfC4SLnv c=1 sm=1 p=xq6_pkGAOlbCYWpp:21
p=QOr0OkOuIMb1-ZXN:21 p=ZV_qDKm3Awa1T0n3:21 p=mNgdpxbmAeamLjvkckwA:9
p=ZWCv5kBEPJ9kZKX4gzgA:14 a=l1Zg887NEoglIa0EtzNIIA==:17 a=mD8GtjjJo7UA:10
a=4qsattqYYrUA:10 a=xqWC_Br6kY4A:10 a=Ebs0h9rcAAAA:8 a=BPojhmU9NfcA:10
a=Ox1ZiSh4rIFn8Da0_r8A:9 a=CjuIK1q_8ugA:10 a=Mb_K_RCCF9ZOil8kfa4A:9
a=_W_S_7VecoQA:10 a=IKIoO-ieCDEA:10 a=l1Zg887NEoglIa0EtzNIIA==:117
Received: from VFUS-MBX03.vf-us.internal.vodafone.com ([::1]) by
VFUS-CAS01.vf-us.internal.vodafone.com ([10.181.10.42]) with mapi; Thu, 17 Jan 2013 10:47:24 +0800
From: <mms@getmyphoto.vodafone.com>
To: <{my email address}>
Date: Thu, 17 Jan 2013 10:47:24 +0800
Message-ID: <1D1ZVJ0GID3O0SW0ILYMC98H5M9915QY@legspas6.prd.it1 .sp.vodafone.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=a__tumfs_37_76_54"
X-pn-pstn: Spam 1
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: A new picture or video message [Vodafone MMS]
8744Y4G_MMS.ZIP (application/zip), 40 K
2sides2everystory is offline
Reply With Quote Report Post
# 2
agrinnall
Old 17-01-2013, 12:35 PM
Fantastically Fervent MoneySaving Super Fan
 
Join Date: Mar 2009
Location: Highland Perthshire
Posts: 6,274
Default

I'd just delete it, I can't imagine any reason why Vodafone would send a zip file, and even if it is from them do you really care if you never see it?
agrinnall is online now
Reply With Quote Report Post
# 3
spacey2012
Old 17-01-2013, 12:37 PM
Fantastically Fervent MoneySaving Super Fan
 
Join Date: Nov 2012
Location: Where ever I lay my hat.
Posts: 5,611
Default

Why take the chance ?
spacey2012 is offline
Reply With Quote Report Post
# 4
bengalknights
Old 17-01-2013, 12:39 PM
Fantastically Fervent MoneySaving Super Fan
 
Join Date: Apr 2009
Location: West Midlands
Posts: 3,223
Default

Its come from a spoof email and is definitly dodgy just delete and forget
bengalknights is offline
Reply With Quote Report Post
# 5
bod1467
Old 17-01-2013, 12:40 PM
Fantastically Fervent MoneySaving Super Fan
 
Join Date: Apr 2011
Location: Central Belt
Posts: 7,248
Default

If the contents of the ZIP is an EXE then its bad. If it really was an MMS then it would be a MOV or 3GP file most likely.
Got a Parking Charge Notice (parking ticket - IT'S NOT A FINE!)? Go here for further info ...
Main site > MoneySavingExpert.com Forums > Household & Travel > Motoring > Parking Tickets, Fines & Parking >
... and click on the NEWBIES sticky thread (4816822)
bod1467 is online now
Reply With Quote Report Post
# 6
dogmaryxx
Old 17-01-2013, 12:52 PM
Serious MoneySaving Fan
 
Join Date: Mar 2009
Location: Little England beyond Wales
Posts: 1,934
Default

http://www.millersmiles.co.uk/email/...e-mms-vodafone
dogmaryxx is online now
Reply With Quote Report Post
The Following User Says Thank You to dogmaryxx For This Useful Post: Show me >>
# 7
waddler_8
Old 17-01-2013, 1:09 PM
Fantastically Fervent MoneySaving Super Fan
 
Join Date: Jul 2011
Posts: 3,558
Default

Definately malware.

http://blog.webroot.com/2013/01/17/c...serve-malware/

http://nakedsecurity.sophos.com/2012...e-mms-malware/
waddler_8 is offline
Reply With Quote Report Post
The Following User Says Thank You to waddler_8 For This Useful Post: Show me >>
# 8
easy
Old 17-01-2013, 1:14 PM
Fantastically Fervent MoneySaving Super Fan
 
Join Date: Oct 2004
Location: Nottingham
Posts: 2,135
Default

I received about 5 of these yesterday, and a couple this morning. Just deleted them, why would anyone I don't know be sending me MMS's ? Even if they weren't nasty viruses, they might be nasty pictures.

Basically, I never open any mail that has an attachment that I'm not expecting to receive. Even if I receive one from a known contact, I check with them if I wasn't expecting an attachment, in case a virus has got into their contacts list.
I try not to get too stressed out on the forum. I won't argue, i'll just leave a thread if you don't like what I say.
easy is offline
Reply With Quote Report Post
# 9
2sides2everystory
Old 17-01-2013, 2:00 PM
PPR
Serious MoneySaving Fan
 
Join Date: Sep 2010
Posts: 1,693
Default

Thanks to those who definitely identified it as malware.

My reason for posting was because it is a particularly difficult one for a non-techie to unravel by means of the header info and although I suspected it, I wasn't sure despite being pretty savvy, so I thought others might benefit from seeing it.

Can the techies amongst us tell us which parts of the header give away the fact that it is spoofed?


To the unitiated, this one masquerades quite effectively as an MMS either received by or sent by Vodafone. Do we know the current mobile numbers of everyone we know? It just so happens I have some friends away skiing at the moment and I would not have been surprised to receive an MMS from an unrecognised UK mobile as some are avoiding the cost of using their own handsets for data whilst up the mountain away from Wifi. It therefore wouldn't surprise me if a handset was borrowed for the purpose of some humorous group photo or whatever.

Of course, thinking that one obvious with hindsight stage further about it, unless I too was with Vodafone, why would Vodafone be emailing me about it rather than texting me the link if the photo couldn't be delivered direct to my handset?

Yes it is very easy to ignore everything we are not expecting but wouldn't life be boring!

What is totally unacceptable is that we are bombarded by so many of these trojan attempts to break into our computers, isn't it? You would think that major Antivirus and Email server protections would be a little more robust by now. If techies in this forum can spot a spoof header a mile off, then why did it ever reach me?
2sides2everystory is offline
Reply With Quote Report Post
# 10
-TangleFoot-
Old 17-01-2013, 7:17 PM
Fantastically Fervent MoneySaving Super Fan
 
Join Date: Dec 2004
Location: Monmouthshire
Posts: 4,595
Default

Quote:
Originally Posted by 2sides2everystory View Post
Can the techies amongst us tell us which parts of the header give away the fact that it is spoofed?
Nothing obvious - just the .exe hiding inside a .zip file named 8744Y4G_MMS.
-TangleFoot- is offline
Reply With Quote Report Post
# 11
debitcardmayhem
Old 17-01-2013, 7:37 PM
Fantastically Fervent MoneySaving Super Fan
 
Join Date: Dec 2009
Location: Depriving a village of an Idiot
Posts: 6,684
Default

Received: from [101.78.164.189] ([101.78.164.189])

Registered in HK of course it could be part of a botnet
Be careful what you wish for -
I thought
Quote:
I could do with a stroke of luck so I can stop working
So I had a stroke and have not worked since. Lucky? , you figure

debitcardmayhem is offline
Reply With Quote Report Post
# 12
-TangleFoot-
Old 17-01-2013, 7:53 PM
Fantastically Fervent MoneySaving Super Fan
 
Join Date: Dec 2004
Location: Monmouthshire
Posts: 4,595
Default

Quote:
Originally Posted by debitcardmayhem View Post
Registered in HK...
What's registered? There's no domain name and the only thing I can gather from the lookup is that the server on the other end is the responsibility of Wharf T&T Limited.
-TangleFoot- is offline
Reply With Quote Report Post
# 13
debitcardmayhem
Old 17-01-2013, 7:59 PM
Fantastically Fervent MoneySaving Super Fan
 
Join Date: Dec 2009
Location: Depriving a village of an Idiot
Posts: 6,684
Default

Quote:
Originally Posted by -TangleFoot- View Post
What's registered? There's no domain name and the only thing I can gather from the lookup is that the server on the other end is the responsibility of Wharf T&T Limited.
In the header it says received from 101.78.164.189
Be careful what you wish for -
I thought
Quote:
I could do with a stroke of luck so I can stop working
So I had a stroke and have not worked since. Lucky? , you figure

debitcardmayhem is offline
Reply With Quote Report Post
# 14
2sides2everystory
Old 17-01-2013, 8:17 PM
PPR
Serious MoneySaving Fan
 
Join Date: Sep 2010
Posts: 1,693
Default

Quote:
Originally Posted by -TangleFoot- View Post
Nothing obvious - just the .exe hiding inside a .zip file named 8744Y4G_MMS.
Well although .exe instantly rings alarm bells and was the reason I wasn't going to click any further without good reason, it isn't that obvious a pointer to a trojan surely, since if if wanted to send you a self extracting zip for legitimate purposes then I'd almost certainly wrap it in a standard zip so that your email filter didn't stop it just because it was an .exe !

No I wondered if anything in the routing information screamed "spoof"?

Also is the use of the vodafone.com domain (appears several times in the headers) legitimate or spoofed? Did they use Vodafone's system to connect ?
2sides2everystory is offline
Reply With Quote Report Post
# 15
-TangleFoot-
Old 17-01-2013, 8:19 PM
Fantastically Fervent MoneySaving Super Fan
 
Join Date: Dec 2004
Location: Monmouthshire
Posts: 4,595
Default

Did you click on the .exe in my post to see where it went?

Quote:
Originally Posted by debitcardmayhem View Post
In the header it says received from 101.78.164.189
It says the same thing for these too:
Code:
Received: from [212.159.9.108] (helo=avasin18.plus.net)
Received: from VFUS-MBX03.vf-us.internal.vodafone.com ([::1]) by VFUS-CAS01.vf-us.internal.vodafone.com ([10.181.10.42]) with mapi; Thu, 17 Jan 2013 10:47:24 +0800
Hmm... [::1] is IPv6 talk for localhost. Could that be relevant?

Last edited by -TangleFoot-; 17-01-2013 at 8:50 PM. Reason: something funny about that IP address...
-TangleFoot- is offline
Reply With Quote Report Post
The Following User Says Thank You to -TangleFoot- For This Useful Post: Show me >>
# 16
2sides2everystory
Old 18-01-2013, 12:16 PM
PPR
Serious MoneySaving Fan
 
Join Date: Sep 2010
Posts: 1,693
Default

Quote:
Originally Posted by -TangleFoot- View Post
Did you click on the .exe in my post to see where it went?
Yes I appreciate you tracked down this particular one by name of file and apparent email sender to the recent virustotal reports but just wondered about the chances of a normal punter achieving some kind of raw detection from any bits of the header that just don't add up.

Else are we really just reliant on being ultra careful/other people having found it first so we can Google it when we are alert enough to stop ourselves blundering into a click too far?

I'm not really clued up enough to understand your pointers to possible localhost shenanigans so I'll let you and debitcardmayhem mull that over between you

Thanks for engaging.
2sides2everystory is offline
Reply With Quote Report Post
# 17
artbaron
Old 18-01-2013, 12:24 PM
Fantastically Fervent MoneySaving Super Fan
 
Join Date: May 2009
Posts: 3,693
Default

I had one yesterday and Kaspersky identified it as a virus and disinfected it, and I set the incoming address to Junk.
artbaron is offline
Reply With Quote Report Post
# 18
easy
Old 18-01-2013, 2:18 PM
Fantastically Fervent MoneySaving Super Fan
 
Join Date: Oct 2004
Location: Nottingham
Posts: 2,135
Default

Quote:
Originally Posted by 2sides2everystory View Post
Yes I appreciate you tracked down this particular one by name of file and apparent email sender to the recent virustotal reports but just wondered about the chances of a normal punter achieving some kind of raw detection from any bits of the header that just don't add up.

Else are we really just reliant on being ultra careful/other people having found it first so we can Google it when we are alert enough to stop ourselves blundering into a click too far?

I'm not really clued up enough to understand your pointers to possible localhost shenanigans so I'll let you and debitcardmayhem mull that over between you

Thanks for engaging.
As I said earlier, the best way to manage this is NOT to open any attachments that you are not expecting to receive. If you receive an email from someone you know, with an attachment that you didn't expect, check with them before you open it.
If you receive one from an unknown source, then treat it with great suspicion. I had another this morning, inviting me to download a PDF. Obviously, as I don't know the sender, I've deleted the email without opening it (using a preview pane in my email client).

Even professionals get caught out sometimes, which is why they use good anti-virus software, AND keep regular, reliable backups so that if the worst does happen they can restore a clean system.
I try not to get too stressed out on the forum. I won't argue, i'll just leave a thread if you don't like what I say.
easy is offline
Reply With Quote Report Post
The Following User Says Thank You to easy For This Useful Post: Show me >>
# 19
-TangleFoot-
Old 18-01-2013, 3:11 PM
Fantastically Fervent MoneySaving Super Fan
 
Join Date: Dec 2004
Location: Monmouthshire
Posts: 4,595
Default

Quote:
Originally Posted by 2sides2everystory View Post
Thanks for engaging.
Rule of thumb: reputable sources don't send executable attachments. Especially obfuscated ones.

Also, after checking some of my own emails I'd guess that the [::1] in yours is the forgery - a simple ping reveals the true address of VFUS-MBX03 as [92.242.132.15].

Ergo, it came from somewhere else.
-TangleFoot- is offline
Reply With Quote Report Post
The Following User Says Thank You to -TangleFoot- For This Useful Post: Show me >>
# 20
spud17
Old 20-01-2013, 2:14 PM
Fantastically Fervent MoneySaving Super Fan
 
Join Date: Oct 2006
Location: Devon
Posts: 3,505
Default

For the brave/foolhardy, you can put the header into

http://www.iptrackeronline.com/email...r-analysis.php

This will give you some of the info contained in the header.

Take care and use at your own risk.
Sorry if I do not reply immediately, but I'm now only here occasional evenings and some weekends. (Just for dcm )

A watched file transfer never finishes.
spud17 is offline
Reply With Quote Report Post
The Following User Says Thank You to spud17 For This Useful Post: Show me >>
Reply

Bookmarks
 
 




Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

 Forum Jump  

Contact Us - MoneySavingExpert.com - Archive - Privacy Statement - Top

Powered by vBulletin® Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.

All times are GMT +1. The time now is 8:47 AM.

 Forum Jump  

Free MoneySaving Email

Top deals: Week of 23 April 2014

Get all this & more in MoneySavingExpert's weekly email full of guides, vouchers and Deals

GET THIS FREE WEEKLY EMAIL Full of deals, guides & it's spam free

Latest News & Blogs

Martin's Twitter Feed

profile

Cheap Travel Money

Find the best online rate for holiday cash with MSE's TravelMoneyMax.

Find the best online rate for your holiday cash with MoneySavingExpert's TravelMoneyMax.

TuneChecker Top Albums

  • VARIOUS ARTISTSNOW THAT'S WHAT I CALL MUSIC! 87
  • VARIOUS ARTISTSFROZEN (ORIGINAL MOTION PICTURE SOUNDTRACK)
  • VARIOUS ARTISTSEUPHORIC CLUBLAND 2

MSE's Twitter Feed

profile
Always remember anyone can post on the MSE forums, so it can be very different from our opinion.
We use Skimlinks and other affiliated links in some of our boards, for some of our users.