Author Topic: Spam E-Mails being Sent from my PC (7000+ Today Alone)  (Read 19768 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Spam E-Mails being Sent from my PC (7000+ Today Alone)
« Reply #15 on: January 03, 2007, 08:31:05 PM »
I disagree, the "postcard" worm was being detected from the very beginning (Avast was one of the first who detected it).
Thanks for posting... from time to time, an official word about detection is comfortable.  ;)
The best things in life are free.

SendDerek

  • Guest
Re: Spam E-Mails being Sent from my PC (7000+ Today Alone)
« Reply #16 on: January 03, 2007, 11:10:33 PM »
Okay, I have more information for you guys and a screenshot.

The information I get when I hover over the icon is pretty random, but for the most part, this bit is most always on there:

mx10.tds.net

Some others that I managed to write down quickly (it changes every second):
nsl.smfiber...
bootsit.com...

Here is the screenshot with TCPView and Avast showing:



We don't really use this computer for e-mails, so as a temp fix, I wanted to block all outgoing smtp traffic.  Is there a way to do this?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Spam E-Mails being Sent from my PC (7000+ Today Alone)
« Reply #17 on: January 03, 2007, 11:25:33 PM »
We don't really use this computer for e-mails, so as a temp fix, I wanted to block all outgoing smtp traffic.  Is there a way to do this?
You need to block the ports 25 and the 12025 as you can see in the picture...
Which is your firewall? Do you have a router to connect the Internet?
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Spam E-Mails being Sent from my PC (7000+ Today Alone)
« Reply #18 on: January 03, 2007, 11:34:01 PM »
Well System Process is pretty weird process name as it is usually only listed as System so this might be something trying to masquerade as System, although the Process ID of 0 is also weird.

In task manager what has the process ID of 0 ?

There is no easy way to block emails being sent you would have to block the email port 25 in either a firewall or router. as this would appear to be using its own emailed. So you still haven't said what your firewall is ?

Try windows, Start, Run, type 'msconfig' without the quotes and click OK, now look at the Startup Tab and list what you see there.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: Spam E-Mails being Sent from my PC (7000+ Today Alone)
« Reply #19 on: January 03, 2007, 11:37:46 PM »
Well the TCPView is just showing you that it is avast that is actually facilitating the sending of the spam messages. 

Did you try the suggestion I gave you to have avast identify the process sending the spam?

As Tech says you need a firewall with outbound protection to really help you with this one. 

If you have such a firewall then you should remove outbound access for ashMaiSv.exe, this is the avast process that is actually delivering the mail.  That will stop it being sent.  It will not identify the infection in your system or remove it - which is what you ultimately need to do.

Again if you have an outbound protection firewall and you terminate the avast e-mail scanner then the real culprit sending the emails should show up asking for permission to connect outbound (or it will be a process you have already authorized but should not have).

It is very typical for these spambots to hijack a Windows process to do their work, we have quite often seen in the past winlogon.exe and explorer.exe as the infected processes.  Neither of these should have any valid reason for outbound access. 


« Last Edit: January 03, 2007, 11:40:14 PM by alanrf »

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Spam E-Mails being Sent from my PC (7000+ Today Alone)
« Reply #20 on: January 03, 2007, 11:47:06 PM »
Just to add, if the shyte is running inside the SYSTEM process it's quite likely there's a kernel-mode malware component involved (a rootkit, basically). Not very good news indeed... :-\

What you could try is run a specialized rootkit-detection tool such as F-Secure Blacklight (it's free): http://www.f-secure.com/blacklight/try_blacklight.html


Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

SendDerek

  • Guest
Re: Spam E-Mails being Sent from my PC (7000+ Today Alone)
« Reply #21 on: January 03, 2007, 11:53:23 PM »
Sorry for withholding information to ya'll.

This isn't a machine that I'm normally working on and it has no firewall except that of Windows SP2.

I have checked the processes in msconfig and there is nothing out of the ordinary (or so it seems).

Which firewall would be recommended for this one?  Something free would be best.

I cannot see any process with the ID of 0.

I also do connect through a router.  I will configure it to block port 25.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: Spam E-Mails being Sent from my PC (7000+ Today Alone)
« Reply #22 on: January 03, 2007, 11:53:58 PM »
There's one other way we can avast to report the process path ... at least it might confirm the System Process contamination.

It might prove useful to create (for a while, since the volume of message will create a large log) a more detailed avast! log of your mail connections.

You can get the mailscanner to log your connections by editing the avast4.ini file (in  Program Files\Alwil Software\Avast4\DATA folder).

In the section headed:

[MailScanner]

add the line:

Log=20

and save the updated file.

The log will be in Program Files\Alwil Software\Avast4\DATA\log\ashmaisv.log and will contain avast's reading of the path of the process being used to make the outbound connections.
 

SendDerek

  • Guest
Re: Spam E-Mails being Sent from my PC (7000+ Today Alone)
« Reply #23 on: January 04, 2007, 12:31:51 AM »
I tried the log thing.  I can't really read it very easily though.

I would like to share with you guys.  It started to grow very rapidly and became > 1MB. I will upload to Media Fire so that you can download and look for yourselves.

http://www.mediafire.com/?0ym0jwmvitz

Here is a small portion:
Code: [Select]
250-8BITMIME
250-PIPELINING
250 SIZE 71303168
01/03/07 16:22:31 00000E34:   <-SMTP 250-csmtpmx13.frontal.correo
250-8BITMIME
250-PIPELINING
250 SIZE 71303168
01/03/07 16:22:31 00000E34:   sent 79 (1160)
01/03/07 16:22:31 00000E34:   received 33 (1160)
01/03/07 16:22:31 00000E34:   ->SMTP MAIL FROM:<efe-getafe@terra.es>
01/03/07 16:22:31 00000E34:   sent 33 (1104)
01/03/07 16:22:31 00000E34:   received 40 (1104)
01/03/07 16:22:31 00000E34:   <-SMTP 250 MAIL FROM:<efe-getafe@terra.es> OK
01/03/07 16:22:31 00000E34:   sent 40 (1160)
01/03/07 16:22:31 00000E34:   received 31 (1160)
01/03/07 16:22:31 00000E34:   ->SMTP RCPT TO:<efe-getafe@terra.es>
01/03/07 16:22:31 00000E34:   sent 31 (1104)
01/03/07 16:22:32 00000440:   Cannot connect to SMTP server 65.54.244.40 (65.54.244.40:25), connect error 10060
01/03/07 16:22:32 00000440:   sent 87 (904)
01/03/07 16:22:32 00000440:   --SMTP Finishing connection handler
01/03/07 16:22:32 000005DC:   SMTP accept connection from: 127.0.0.1
01/03/07 16:22:32 000005DC:   Connection handler: 00000D08 (1024)
01/03/07 16:22:32 00000D08:   Ignored PIDs: 2672 3724
01/03/07 16:22:32 00000D08:   Ignored Addresses: 72.3.135.203:80 193.243.128.78:80 193.243.128.76:80 62.132.1.234:80 204.58.27.57:80 204.58.27.41:80 204.58.27.49:80 204.58.27.33:80 198.200.173.74:80 198.200.173.139:80 127.0.0.1:80 192.168.0.4:119 127.0.0.1:119 192.168.0.4:143 127.0.0.1:143 192.168.0.4:25 127.0.0.1:25 192.168.0.4:110 127.0.0.1:110
01/03/07 16:22:32 00000D08:   Ignored Processes: avgemc.exe forx.exe FXMadeEasy.exe aoltpspd.exe waol.exe tor.exe wcescomm.exe utorrent.exe ypager.exe V3P3AT.EXE bitcomet.exe mpftray.exe ABC.EXE CZDCPlusPlus.ex CRAXY.EXE NETMONSV.EXE SYMPROXYSVC.EXE NAVAPW32.EXE WEBPROXY.EXE EMULE.EXE TMPROXY.EXE isafe.exe SMPROXY.EXE ccLgView.exe ccSetMgr.exe ccPwdSvc.exe ccApp.exe ccProxy.exe ccPxySvc.exe ccEvtMgr.exe winroute.exe avast.setup
01/03/07 16:22:32 00000D08:   --SMTP command REDIRECT 65.54.244.72:25 1856
01/03/07 16:22:32 00000D08:   PATH: \Device\HarddiskVolume2\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Spam E-Mails being Sent from my PC (7000+ Today Alone)
« Reply #24 on: January 04, 2007, 12:42:36 AM »
Is the link supposed to contain some data?

BTW maybe you could make the log file < 200KB and attach it here?


Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Spam E-Mails being Sent from my PC (7000+ Today Alone)
« Reply #25 on: January 04, 2007, 01:06:29 AM »
Is the link supposed to contain some data?

There is a download file button on that page.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline BJ_GeOrgE

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 350
  • prevention is better than cure
Re: Spam E-Mails being Sent from my PC (7000+ Today Alone)
« Reply #26 on: January 04, 2007, 01:26:15 AM »
Sorry for withholding information to ya'll.

This isn't a machine that I'm normally working on and it has no firewall except that of Windows SP2.

I have checked the processes in msconfig and there is nothing out of the ordinary (or so it seems).

Which firewall would be recommended for this one?  Something free would be best.

I cannot see any process with the ID of 0.

I also do connect through a router.  I will configure it to block port 25.

u better download comodo..it's free and it has the feature named "define a new banned application" in which u can select an application to block from any internet access..this firewall helped me a lot with a bot which did the same work as yours(sending numerous emails)...i did a full system scan with avast and even if it founded it couldn't stop it...then i tried spybot and AVG antispyware and they couldn't stop it either..so i disabled avast email scanner,i found the process that contains the bot,i blocked it with comodo and did an online scan with bitdefender,it founded the bot,deleted it and after that i ran windows in safe mode and deleted it by myself coz it appeared again..now i have no problems and i have the exe file still in the block list of comodo just in case..maybe my bot was easier to remove it but i think comodo helped me a lot on that thing..u can see some gd free firewalls here http://www.snapfiles.com/Freeware/security/fwfirewall.html i recommend comodo and zonealarm.. ;)
« Last Edit: January 04, 2007, 01:28:20 AM by BJ_GeOrgE »
OS:Windows 7 Professional 64-bit SP1
Antivirus: Avast Free v8.0.1497/Firewall: Windows Firewall/On Demand: Malwarebytes Free Edition/Other tools: CCleaner

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: Spam E-Mails being Sent from my PC (7000+ Today Alone)
« Reply #27 on: January 04, 2007, 02:47:21 AM »
Here is a section from my log when I deliberately send an email message ...

Code: [Select]
1/03/07 17:35:38 00000254:   Ignored Addresses: 72.3.135.203:80 193.243.128.78:80 193.243.128.76:80 62.132.1.234:80 204.58.27.57:80 204.58.27.41:80 204.58.27.49:80 204.58.27.33:80 198.200.173.74:80 198.200.173.139:80 127.0.0.1:80 70.86.176.98:119 212.26.219.158:119
01/03/07 17:35:38 00000254:   Ignored Processes: avgemc.exe forx.exe FXMadeEasy.exe aoltpspd.exe waol.exe tor.exe wcescomm.exe utorrent.exe ypager.exe V3P3AT.EXE bitcomet.exe mpftray.exe ABC.EXE CZDCPlusPlus.ex CRAXY.EXE NETMONSV.EXE SYMPROXYSVC.EXE NAVAPW32.EXE WEBPROXY.EXE EMULE.EXE TMPROXY.EXE isafe.exe SMPROXY.EXE ccLgView.exe ccSetMgr.exe ccPwdSvc.exe ccApp.exe ccProxy.exe ccPxySvc.exe ccEvtMgr.exe winroute.exe avast.setup
01/03/07 17:35:38 00000254:   --SMTP command REDIRECT 204.127.225.17:25 392
01/03/07 17:35:38 00000254:   PATH: \Device\HarddiskVolume2\Program Files\Mozilla Thunderbird\thunderbird.exe
01/03/07 17:35:38 00000254:   Connected to SMTP server 204.127.225.17 25 (496)

You notice the PATH statement gives the name of the process that is sending the email - in this case my Thunderbird mail client.

In your log it is consistently pointing to the program ashDisp.exe.  This is very strange and I guess we will have to see if the avast folks have a comment.  I suppose that it is just possible that someone has managed to infect avast itself or to masquerade as an avast module. 

Did you try the blacklight scan suggested by Vlk?

By the way what is the size, date and time of your ashDisp.exe file?
« Last Edit: January 04, 2007, 02:51:21 AM by alanrf »

ksav

  • Guest
Re: Spam E-Mails being Sent from my PC (7000+ Today Alone)
« Reply #28 on: January 04, 2007, 12:54:52 PM »
< disagree, the "postcard" worm was being detected from the very beginning (Avast was one of the first who detected it).

How did you find out it can't detect it?

Am I guessing correctly if I say VirusTotal and/or Jotti's?
>
Nope, i tried it with my U3 (up to date) scanner on a machine where I'd copied the .exe to.
I then tried numerous other scanners, i.e. Mcafee (not mobile!) etc to see if it could identify this .exe as being malicious...  So, as of the 31st none of the scanners I tried could see this as malicious.

Sorry, i was just telling it like it was!!

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Spam E-Mails being Sent from my PC (7000+ Today Alone)
« Reply #29 on: January 04, 2007, 01:03:55 PM »
Quote
Nope, i tried it with my U3 (up to date) scanner on a machine where I'd copied the .exe to.
I then tried numerous other scanners, i.e. Mcafee (not mobile!) etc to see if it could identify this .exe as being malicious...  So, as of the 31st none of the scanners I tried could see this as malicious.

It may have been a corrupted sample then... (this is quite common, actually - the attachments gets somehow screwed and arrives in a non-working state).

Do you still have the file? It would be worth a quick look just to make sure...

Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.