Weird Email....

I use Outlook Express, and when I went to preview an email, instead of simply showing up in the preview pane, it actually sent me to internet explorer and took me to the webpage. It was an email from Roberto Dutton (which is meaningless, I know) and the subject was "Get free Microsoft Software CD". If I click on the email to preview it, it takes me to the webpage. When I close the webpage, the preview pane in Outlook Express shows a blank white page.

What I'm getting at is that I had no control over this particular email. Usually you can view the email in the preview pane, and though it looks like a webpage, or whatever, you are still in Outlook Express, and you have the option of opening attachments, or clicking on links, etc. This one took me to IE without my choice. I had wanted to add it to the Spam Folder (I also use Spam Bully for Outlook Express) but I couldn't do so unless I selected the email, and as soon as I did, it took me to IE. I did have the option of right-clicking on the email and deleting it that way.

I was wondering if this is some new thing? I'm afraid that virus could be sent very easily through this type of email......... Any ideas on this?

Here's the message source info, the XXXXXX are my email covered up.....

Return-Path: <jfem1n@yahoo.com>
X-Original-To: XXXXXXXXXX@XXXXXXXXX
Delivered-To: XXXXXXXXX@XXXXXXXX
Received: from bleuets-1-82-66-131-9.fbx.proxad.net (bleuets-1-82-66-131-9.fbx.proxad.net [82.66.131.9])
by mx4.jpusa.org (Postfix) with SMTP id 0FC71304015
for XXXXXXXXXX@XXXXXXXXX; Mon, 9 Aug 2004 02:52:42 -0500 (CDT)
Received: from (HELO bpb) [231.33.164.138] by bleuets-1-82-66-131-9.fbx.proxad.net id 75Op34OfaetZ; Mon, 09 Aug 2004 05:44:44 -0300
Message-ID: <h-0q7l9249$epa-jr50$6-9n66$-7@uyqe.x.ocfk6>
From: "Roberto Dutton" <jfem1n@yahoo.com>
Reply-To: "Roberto Dutton" <jfem1n@yahoo.com>
To: XXXXXXXXXX@XXXXXXXXX
Subject: Get Free Microsoft Software CD
Date: Mon, 09 Aug 04 05:44:44 GMT
X-Mailer: Microsoft Outlook Express 5.00.2615.200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="0C5CF0.8D27F44931D89"
X-Priority: 3
X-MSMail-Priority: Normal
X-MailScanner-Information: Please contact the ISP for more information
X-JPUSA-MailScanner: Found to be clean
X-MailScanner-SpamScore: sss
Status: RO

--0C5CF0.8D27F44931D89
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<script language=3D"javascript">
location.href=3D"http://cheryl.gebfkim.info/?sHu1.JsjA036Igs=
definite"
</script>
--0C5CF0.8D27F44931D89--

 

Hi EC Sounds like a hijacker or scumware of some sort. Have you run Spybot lately? Check especially ActiveX and BHOs in SpyBot>Advanced Mode>Tools. Dunno. The "can't get rid of it" part bothers me.
Bill
(maybe it's about the yellow shorts phase of your life? )

 

Looks like a script was used to open up a window in IE.

 

Yeah, I'm still looking for a "Yellow Shorts Removal Tool" but after many searches here at MG, I still haven't found one!!

I was actually able to add it to my Spam list after I closed IE, but what bothered me was that it sent me there without my control.

Here's what Spybot found Ad Aware only found 1 tracking cookie.

 

I deleted these and then went back to that email to see if that's where they came from. After running Spybot, the 6 entries were back! I deleted them, and ran it again, WITHOUT opening the email. The 6 entries were there.......I'm not sure the 2 are related. What is this DSO exploit? I don't like it one bit!

 

Eclayton, your browser has been hijacked. Go to the Spyware forum at MG's and read the stickies on hijack this. Good luck

 

I have DSO Exploit entries in Spybot, and my browser is not hijacked.

 

BillH mentioned BHO and I thought eclayton misstyped somehow.

 

No, my browser isn't hijacked, it's the fact that the email takes me directly to Internet Explorer without my control. I have deleted the email, and am not having anymore problems, but I was concerned that it was automatically sending me to the webpage from Outlook Express.


When I open Internet Explorer to browse, it browses normally.

Again, it was the first time I've ever experience an email sending me anywhere automatically without having to click on a link or attachment. I just seems dangerous that I can't preview the email without this happening. What else could be sent that would automatically execute like this? I'm hoping it's not some new security flaw or vulnerability that will spread havoc all over cyberspace.

PS The screenshot will show you what Spybot found, and I don't know if it's related or not. I'm thinking it is not.

 

I have the 6 dso exploits on both machines. I don't think there is a way to get rid of them.

 

Have any idea as to what they are? I've never heard of them. And Spybot doesn't really remove them, they reappear upon the very next scan.....

 

The description says it's an IE security hole (no surprise there...) and you can get more information at http://security.greymagic.com/adv/gm001-ie/

 

Cool, thanks!

BTW, how's it going flea? Long time to see! Take care!

Eric

 

Hmmmm . . . wonder if the exploit's covered in service pack 2?

 

I was hoping it was. I'm waiting a bit before I install the new service pack, even though no one is reporting any problems.

I'm still baffled about the email though...

 

yeah, I tend to agree that someone wrote a bit of code that ran when you oened the email. Does your server have script blocking? Even if it doesn't, you might want to open your mail on their site instead of in OE which puts the script in your pocket.

 

I'm on a network with a firewall, so I'm not sure how I could open the email on the server......is there a way to disable script in Outlook Express?

 

Here's a page from Spybot's website about DSO Exploit:
http://www.safer-networking.org/en/threats/13.html

I've asked about this in a thread before and was told you can set Spybot to IGNORE them for now -- since, as you can see, it will just keep finding them, deleting them, finding more, etc. But it is not a "real threat" -- and they say on their site that this will be fixed with the next update.
My thread was called: WARNING RE: Spybot Advanced settings --
http://forums.majorgeeks.com/showthread.php?t=33685&highlight=spybot
In the first post I showed a problem that others started to notice too

Open Spybot. At the top left, next to "File" it says "Mode"-- choices are Default and Advanced. If you change to advanced there will be a Settings folder in the left column. One is "ignore products" -- then there'll be a long list -- check that list and you may see 4 that shouldn't be checked like we talk about in that thread. And you can deliberately check DSO Exploit.

 

disabling script

Great question!

I'm not on a network - is the answer for disabling script in OE going to be different? (not trying to hijack your post -- just wanting to know if it will apply to this too)

 

Re: disabling script

You're not hijacking the post, that's a good question too!!

I'm going to poke around a bit in OE and see if I find anything. If I do, I'll post it here. I'm betting it's the same whether or not one is on a network.

 

Re: disabling script

Okay, I went to Tools/Options/Security. Under Select the Internet Explorer security zone to use, the box was checked that said Internet zone (less secure, but more funtional)
I checked the box that said Restricted Sites Zone (more secure)

When I went back to the email, it wouldn't open. I think I like it better that way! Problem solved!

 

When I went back to the email, it wouldn't open. I think I like it better that way! Problem solved!

Good Thinking EC Now, if you'll just ignore it long enough and let the dirt and debries build up on it eventually you can use the darn thing as a planter.