Been getting a lot of these emails lately, here is what the body says:


I know for a fact I don't have any such thing (or even directories) set up on this website (this is our domain but not our error message.)

Here's what is revealed when I view source:
-------------------------------------------

Received message is available at:<br>
<a href=cid:031401Mfdab4$3f3dL780$73387018@57W81fa70Re height=0 width=0>www.rapiddocs.com/inbox/docs/read.php?sessionid-16602</a>
<iframe
src=cid:031401Mfdab4$3f3dL780$73387018@57W81fa70Re height=0 width=0></iframe>
-------------------------------------

I wonder if they are just trolling for active email accounts or is this some kind of IE/Outlook exploit attempt?

Anyone seen this before?

Hm.. I've recently received a few failure notices for mails I never sent, but none of them like that. In the message source it showed as the originating message, it has an atachment called "document.pif" (it does not show up as an actual attached file, though). I've never heard of a .pif file before. I copied the code into a file and saved, and ran a virus scan on it but nothing showed up. I'd be damned if I'm going to try executing it though.

Philip
------------------
Limecat is not pleased.

Hi,

Looks like a virus. The link actually goes to an attached file, so clicking on it would probably execute it (exploiting some outlook hole).

Cheers,

Alex
--
Gossamer Threads Inc.

If you're using Outlook, then Outlook has stripped off the attachment. Outlook removes any .bat, .exe, .pif, etc types of files to protect you from yourself - depending on what version/service pack level you have.

Definition of PIF (from webopedia.com):
Short for Program InFormation file, a type of file that holds information about how Windows should run a non-Windows application. For example, a PIF file can contain instructions for executing a DOS application in the Windows environment. These instructions can include the amount of memory to use, the path to the executable file, and what type of window to use. PIF files have a .pif extension.

You're right Alex, it refers to a screen saver that Outlook stripped from the message - I didn't even realize it until I answered Fuzzy Logic about the other one.

I just received a very similar email. What concerns me is that the email references my website specifically. What worries me is not that it points to a fake url on my domain, but that nowhere on my website is my email address listed in either text or graphic form.

My website does, in fact, use php. Does yours as well? I wonder if this is a possible php exploit (although I don't see how). The info for my server doesn't mention that email address anywhere, and my server info is not publicly available.

The attachment I get with the message is .scr, which outlook blocks. I am not sure whether or not outlook will block the iframe tag in the message source that automatically loads the reference pointed to in the email... I hope not. :)

I found another forum that had a bit more to say about this. You can find it at http://forums.devshed.com/archive/t-174774

It seems that it is a virus that exploits IE and sends out to the infected clietn's email list. I am curious to find out if the faked URL it gives mimics other programming languages other than php. So far I have seen my own, and the source of a couple other emails. All have been spoofed php url's.

I can't tell by looking at www.rapiddocs.com what language was used to write the website, however it doesn't appear to be php.

Anyhoo... I wish I knew more!

Ciao

Austen

www.xolara.com