Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@. Skimlinks & other affiliated links are turned on

Search
  • FIRST POST
    2sides2everystory
    MMS photo in a zip from Vodafone - or is it a trojan?
    • #1
    • 17th Jan 13, 12:28 PM
    MMS photo in a zip from Vodafone - or is it a trojan? 17th Jan 13 at 12:28 PM
    We have to be so careful these days with what arrives in the inbox, even when we know we have a pretty good antivirus (I use Kaspersky). I have already avoided the final step in opening this mail attachment (I was gambling by opening the zip but I did feared to open the EXE of the same name inside).

    Can any of you techies tell from the email headers below whether this really was from Vodafone?

    Return-path: <foodse@vodafone.com>
    Envelope-to: {my email address}
    Delivery-date: Thu, 17 Jan 2013 02:47:27 +0000
    Received: from [212.159.9.108] (helo=avasin18.plus.net)
    by inmx16.plus.net with esmtp (PlusNet MXCore v2.00) id 1TvfVn-0000eX-9l
    for {my email address}; Thu, 17 Jan 2013 02:47:27 +0000
    Received: from [101.78.164.189] ([101.78.164.189])
    by avasin18.plus.net with Plusnet Cloudmark Gateway
    id oqnM1k00H45Vuwd01qnQv2; Thu, 17 Jan 2013 02:47:27 +0000
    X-IPAS: Level1
    X-CM-Score: 100.00
    X-CNFS-Analysis: v=2.0 cv=QfC4SLnv c=1 sm=1 p=xq6_pkGAOlbCYWpp:21
    p=QOr0OkOuIMb1-ZXN:21 p=ZV_qDKm3Awa1T0n3:21 p=mNgdpxbmAeamLjvkckwA:9
    p=ZWCv5kBEPJ9kZKX4gzgA:14 a=l1Zg887NEoglIa0EtzNIIA==:17 a=mD8GtjjJo7UA:10
    a=4qsattqYYrUA:10 a=xqWC_Br6kY4A:10 a=Ebs0h9rcAAAA:8 a=BPojhmU9NfcA:10
    a=Ox1ZiSh4rIFn8Da0_r8A:9 a=CjuIK1q_8ugA:10 a=Mb_K_RCCF9ZOil8kfa4A:9
    a=_W_S_7VecoQA:10 a=IKIoO-ieCDEA:10 a=l1Zg887NEoglIa0EtzNIIA==:117
    Received: from VFUS-MBX03.vf-us.internal.vodafone.com ([::1]) by
    VFUS-CAS01.vf-us.internal.vodafone.com ([10.181.10.42]) with mapi; Thu, 17 Jan 2013 10:47:24 +0800
    From: <mms@getmyphoto.vodafone.com>
    To: <{my email address}>
    Date: Thu, 17 Jan 2013 10:47:24 +0800
    Message-ID: <1D1ZVJ0GID3O0SW0ILYMC98H5M9915QY@legspas6.prd.it1 .sp.vodafone.com>
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=a__tumfs_37_76_54"
    X-pn-pstn: Spam 1
    X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
    X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
    Subject: A new picture or video message [Vodafone MMS]
    8744Y4G_MMS.ZIP (application/zip), 40 K
Page 1
    • agrinnall
    • By agrinnall 17th Jan 13, 12:35 PM
    • 13,604 Posts
    • 9,431 Thanks
    agrinnall
    • #2
    • 17th Jan 13, 12:35 PM
    • #2
    • 17th Jan 13, 12:35 PM
    I'd just delete it, I can't imagine any reason why Vodafone would send a zip file, and even if it is from them do you really care if you never see it?
  • spacey2012
    • #3
    • 17th Jan 13, 12:37 PM
    • #3
    • 17th Jan 13, 12:37 PM
    Why take the chance ?
    • bengalknights
    • By bengalknights 17th Jan 13, 12:39 PM
    • 3,409 Posts
    • 1,241 Thanks
    bengalknights
    • #4
    • 17th Jan 13, 12:39 PM
    • #4
    • 17th Jan 13, 12:39 PM
    Its come from a spoof email and is definitly dodgy just delete and forget
    • bod1467
    • By bod1467 17th Jan 13, 12:40 PM
    • 13,789 Posts
    • 12,389 Thanks
    bod1467
    • #5
    • 17th Jan 13, 12:40 PM
    • #5
    • 17th Jan 13, 12:40 PM
    If the contents of the ZIP is an EXE then its bad. If it really was an MMS then it would be a MOV or 3GP file most likely.
    Got a Parking Charge Notice (parking ticket - IT'S NOT A FINE!)? Go here for further info ...
    Main site > MoneySavingExpert.com Forums > Household & Travel > Motoring > Parking Tickets, Fines & Parking >
    ... and click on the NEWBIES sticky thread (4816822)
    Please do not PM me for help - I will not offer help via PM.
  • dogmaryxx
    • #6
    • 17th Jan 13, 12:52 PM
    • #6
    • 17th Jan 13, 12:52 PM
    http://www.millersmiles.co.uk/email/a-new-picture-or-video-message-vodafone-mms-vodafone
  • waddler_8
    • #7
    • 17th Jan 13, 1:09 PM
    • #7
    • 17th Jan 13, 1:09 PM
    Definately malware.

    http://blog.webroot.com/2013/01/17/cybercriminals-resume-spamvertising-fake-vodafone-a-new-picture-or-video-message-themed-emails-serve-malware/

    http://nakedsecurity.sophos.com/2012/11/20/vodafone-mms-malware/
    • easy
    • By easy 17th Jan 13, 1:14 PM
    • 2,187 Posts
    • 2,503 Thanks
    easy
    • #8
    • 17th Jan 13, 1:14 PM
    • #8
    • 17th Jan 13, 1:14 PM
    I received about 5 of these yesterday, and a couple this morning. Just deleted them, why would anyone I don't know be sending me MMS's ? Even if they weren't nasty viruses, they might be nasty pictures.

    Basically, I never open any mail that has an attachment that I'm not expecting to receive. Even if I receive one from a known contact, I check with them if I wasn't expecting an attachment, in case a virus has got into their contacts list.
    I try not to get too stressed out on the forum. I won't argue, i'll just leave a thread if you don't like what I say.
  • 2sides2everystory
    • #9
    • 17th Jan 13, 2:00 PM
    • #9
    • 17th Jan 13, 2:00 PM
    Thanks to those who definitely identified it as malware.

    My reason for posting was because it is a particularly difficult one for a non-techie to unravel by means of the header info and although I suspected it, I wasn't sure despite being pretty savvy, so I thought others might benefit from seeing it.

    Can the techies amongst us tell us which parts of the header give away the fact that it is spoofed?


    To the unitiated, this one masquerades quite effectively as an MMS either received by or sent by Vodafone. Do we know the current mobile numbers of everyone we know? It just so happens I have some friends away skiing at the moment and I would not have been surprised to receive an MMS from an unrecognised UK mobile as some are avoiding the cost of using their own handsets for data whilst up the mountain away from Wifi. It therefore wouldn't surprise me if a handset was borrowed for the purpose of some humorous group photo or whatever.

    Of course, thinking that one obvious with hindsight stage further about it, unless I too was with Vodafone, why would Vodafone be emailing me about it rather than texting me the link if the photo couldn't be delivered direct to my handset?

    Yes it is very easy to ignore everything we are not expecting but wouldn't life be boring!

    What is totally unacceptable is that we are bombarded by so many of these trojan attempts to break into our computers, isn't it? You would think that major Antivirus and Email server protections would be a little more robust by now. If techies in this forum can spot a spoof header a mile off, then why did it ever reach me?
  • -TangleFoot-
    Can the techies amongst us tell us which parts of the header give away the fact that it is spoofed?
    Originally posted by 2sides2everystory
    Nothing obvious - just the .exe hiding inside a .zip file named 8744Y4G_MMS.
    • debitcardmayhem
    • By debitcardmayhem 17th Jan 13, 7:37 PM
    • 7,607 Posts
    • 5,788 Thanks
    debitcardmayhem
    Received: from [101.78.164.189] ([101.78.164.189])

    Registered in HK of course it could be part of a botnet
    The faceless forum team said
    I'm afraid we had to remove your signature. It was felt that it could be upsetting to other users who had a stroke.
    But removing said signature upsets someone who has had one, ergo yours truly, and has still never received an explanation as to who felt it could be upsetting and why...Let alone the terrible grammar
  • -TangleFoot-
    Registered in HK...
    Originally posted by debitcardmayhem
    What's registered? There's no domain name and the only thing I can gather from the lookup is that the server on the other end is the responsibility of Wharf T&T Limited.
    • debitcardmayhem
    • By debitcardmayhem 17th Jan 13, 7:59 PM
    • 7,607 Posts
    • 5,788 Thanks
    debitcardmayhem
    What's registered? There's no domain name and the only thing I can gather from the lookup is that the server on the other end is the responsibility of Wharf T&T Limited.
    Originally posted by -TangleFoot-
    In the header it says received from 101.78.164.189
    The faceless forum team said
    I'm afraid we had to remove your signature. It was felt that it could be upsetting to other users who had a stroke.
    But removing said signature upsets someone who has had one, ergo yours truly, and has still never received an explanation as to who felt it could be upsetting and why...Let alone the terrible grammar
  • 2sides2everystory
    Nothing obvious - just the .exe hiding inside a .zip file named 8744Y4G_MMS.
    Originally posted by -TangleFoot-
    Well although .exe instantly rings alarm bells and was the reason I wasn't going to click any further without good reason, it isn't that obvious a pointer to a trojan surely, since if if wanted to send you a self extracting zip for legitimate purposes then I'd almost certainly wrap it in a standard zip so that your email filter didn't stop it just because it was an .exe !

    No I wondered if anything in the routing information screamed "spoof"?

    Also is the use of the vodafone.com domain (appears several times in the headers) legitimate or spoofed? Did they use Vodafone's system to connect ?
  • -TangleFoot-
    Did you click on the .exe in my post to see where it went?

    In the header it says received from 101.78.164.189
    Originally posted by debitcardmayhem
    It says the same thing for these too:
    Code:
    Received: from [212.159.9.108] (helo=avasin18.plus.net)
    Received: from VFUS-MBX03.vf-us.internal.vodafone.com ([::1]) by VFUS-CAS01.vf-us.internal.vodafone.com ([10.181.10.42]) with mapi; Thu, 17 Jan 2013 10:47:24 +0800
    Hmm... [::1] is IPv6 talk for localhost. Could that be relevant?
    Last edited by -TangleFoot-; 17-01-2013 at 8:50 PM. Reason: something funny about that IP address...
  • 2sides2everystory
    Did you click on the .exe in my post to see where it went?
    Originally posted by -TangleFoot-
    Yes I appreciate you tracked down this particular one by name of file and apparent email sender to the recent virustotal reports but just wondered about the chances of a normal punter achieving some kind of raw detection from any bits of the header that just don't add up.

    Else are we really just reliant on being ultra careful/other people having found it first so we can Google it when we are alert enough to stop ourselves blundering into a click too far?

    I'm not really clued up enough to understand your pointers to possible localhost shenanigans so I'll let you and debitcardmayhem mull that over between you

    Thanks for engaging.
  • artbaron
    I had one yesterday and Kaspersky identified it as a virus and disinfected it, and I set the incoming address to Junk.
    • easy
    • By easy 18th Jan 13, 2:18 PM
    • 2,187 Posts
    • 2,503 Thanks
    easy
    Yes I appreciate you tracked down this particular one by name of file and apparent email sender to the recent virustotal reports but just wondered about the chances of a normal punter achieving some kind of raw detection from any bits of the header that just don't add up.

    Else are we really just reliant on being ultra careful/other people having found it first so we can Google it when we are alert enough to stop ourselves blundering into a click too far?

    I'm not really clued up enough to understand your pointers to possible localhost shenanigans so I'll let you and debitcardmayhem mull that over between you

    Thanks for engaging.
    Originally posted by 2sides2everystory
    As I said earlier, the best way to manage this is NOT to open any attachments that you are not expecting to receive. If you receive an email from someone you know, with an attachment that you didn't expect, check with them before you open it.
    If you receive one from an unknown source, then treat it with great suspicion. I had another this morning, inviting me to download a PDF. Obviously, as I don't know the sender, I've deleted the email without opening it (using a preview pane in my email client).

    Even professionals get caught out sometimes, which is why they use good anti-virus software, AND keep regular, reliable backups so that if the worst does happen they can restore a clean system.
    I try not to get too stressed out on the forum. I won't argue, i'll just leave a thread if you don't like what I say.
  • -TangleFoot-
    Thanks for engaging.
    Originally posted by 2sides2everystory
    Rule of thumb: reputable sources don't send executable attachments. Especially obfuscated ones.

    Also, after checking some of my own emails I'd guess that the [::1] in yours is the forgery - a simple ping reveals the true address of VFUS-MBX03 as [92.242.132.15].

    Ergo, it came from somewhere else.
    • spud17
    • By spud17 20th Jan 13, 2:14 PM
    • 3,943 Posts
    • 1,817 Thanks
    spud17
    For the brave/foolhardy, you can put the header into

    http://www.iptrackeronline.com/email-header-analysis.php

    This will give you some of the info contained in the header.

    Take care and use at your own risk.
    Anyone else noticed how many threads now start with 'So'?
Welcome to our new Forum!

Our aim's to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

524Posts Today

4,876Users online

Martin's Twitter