Replying to Email From "resume-thanks@google.com"

As a suggestion for email security, it is unlikely that any reputable online business / company would send any attachments, especially if it is an executable phone. That probably is the first sign. Also, if possible, you should not click links from the email unless you are absolutely sure of its identity e.g. clear names in URL, email validation links for sites you recently registered for etc. For example, in the above Facebook email advising you of a message on your Facebook wall, the best option would be to login directly into Facebook rather than clicking the link in the email.

I think, it has to do something with our company email service provider because some of my co-workers also received this kind of email.

Oh and today, I got another email from different address. But it's kind of the same attachment.

I received another email from "update@facebookmail.com" and the message was:

Delivered-To: xyz@emailservice.com
Received: by 10.216.91.83 with SMTP id g61cs72895wef;
Sat, 23 Oct 2010 10:26:58 -0700 (PDT)
Received: by 10.100.253.5 with SMTP id a5mr3576039ani.128.1287854817141;
Sat, 23 Oct 2010 10:26:57 -0700 (PDT)
Return-Path: <notification+zya0fz96@facebookmail.com>
Received: from mx-out.facebook.com (outmail014.snc4.facebook.com [66.220.144.146])
by mx.google.com with ESMTP id f9si6900001anp.188.2010.10.23.10.26.55;
Sat, 23 Oct 2010 10:26:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of notification+zya0fz96@facebookmail.com designates 66.220.144.146 as permitted sender) client-ip=66.220.144.146;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of notification+zya0fz96@facebookmail.com designates 66.220.144.146 as permitted sender) smtp.mail=notification+zya0fz96@facebookmail.com; dkim=pass header.i=@facebookmail.com
Return-Path: <notification+zya0fz96@facebookmail.com>
DKIM-Signature: v=1; a=rsa-sha1; d=facebookmail.com; s=201006181024; c=relaxed/relaxed;
q=dns/txt; i=@facebookmail.com; t=1287854807;
h=From:Subject:Date:To:MIME-Version:Content-Type;
bh=5Fr5syIch7WXxEab/wNI+xPO9RI=;
b=rJPaOEjomdWkNHQZXExVuqZ64ZecIaJ9PWlRlktMyMoPaxrpaIx1XOtw97Nk4kzQ
h0aawa8cQw+UpMVcgU/wFkDI4dGynHwJkZY5yFoLq3xgfw0MXbBKTTYG9Ib7JjVG
N1OORuOHDqJU+wwx0T6jaTc6FBLmTOlFI5J7TPwqsQ8=;
Received: from [10.36.111.122] ([10.36.111.122:59002])
by mta005.snc4.facebook.com (envelope-from <notification+zya0fz96@facebookmail.com>)
(ecelerity 2.2.2.45 r(34222M)) with ECSTREAM
id 78/4B-07535-7DA13CC4; Sat, 23 Oct 2010 10:26:47 -0700
X-Facebook: from zuckmail ([MTI3LjAuMC4x])
by www.facebook.com with HTTP (ZuckMail);
Date: Sat, 23 Oct 2010 10:26:47 -0700
To: xyz<xyz@emailservice.com>
From: Facebook <notification+zya0fz96@facebookmail.com>
Reply-to: Reply to Comment <c+23jlpmd000000m6jwio2s001ojggjvnmt000000m6jwio000000q9100x1mj1i@reply.facebo
ok.com>
Subject: Charis M Lachica posted on your Wall.
Message-ID: <8871bb8b936c4599739d20c61250307a@www.facebook.com>
X-Priority: 3
X-Mailer: ZuckMail [version 1.00]
X-Facebook-Notify: wall; from=1587283809; mailid=32d1805G4ff20960G15ab43aG1
Errors-To: notification+zya0fz96@facebookmail.com
X-FACEBOOK-PRIORITY: 0
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"

Text in bold is the recipient - this can be forged and if you don't appear as a recipient and you still get the email then it is one of the following.
1. it was sent to a mail group, a mail group is a list of emails private to the email provider. If some discover the group name then he can send 1 email to 1 address and nothing will appear on the "To:" still everyone on the group will get a copy.
2. you are included on the blind carbon copy list (BCC), it was commonly used way to send mass email and spam since 99.9% of email servers throw away the BCC info in hopes to remove tracing on who got a copy.

Text in bold and underlined - is the real email server, 70% of spams i received faking paypal are being sent from Hotmail with fake email header. The sample above claims that the email comes from facebook and the receiving email server accepts it and appends a message ID (f9si6900001anp.188.2010.10.23.10.26.55).

Text in bold and italic - the actual "handshake", this is a server to server communication and authentication part. If one fails to identify the communication attempt should be terminated. Sadly most email servers are configured to still continue even if the other end fails to identify.

Thanks for the advise yordan... I'll consider doing this for the time being...

I will just point those mails to junks this time and also inform my co-workers to do the same.

Thank you once again...

Also ask them to look for the virus signature description on their own PC...
Remember that the initial virus infector has probably been sent by somebody having your mail address inside his PC!

The only thing I guess would be possible is to define all mails coming from resume-thanks to go to the spam folder. It's easy to do if your mailer is gmail, it's probably possible with the other mail systems.

Thanks for the advise yordan... I'll consider doing this for the time being...

I will just point those mails to junks this time and also inform my co-workers to do the same.

Thank you once again...

Yes I know that anybody will recommend using antivirus programs but how would you recommend on how to avoid receiving such things from those email addresses...

It's a general health security problem.
A friend of yours did not have a good antivirus program, so no guardian prevented him from catching this worm.
The worm got your e-mail address from your friend's contact list, and started sending mails. This will continue until your friend fixes his problem.
Your PC is also infested, so your PC is also sending mails, and will continue until you fix your own problem.
The only possible thing would have been preventing the remote server from having your mail address, which is the job antivirus programs perform. Now it's too late for that.
The only thing I guess would be possible is to define all mails coming from resume-thanks to go to the spam folder. It's easy to do if your mailer is gmail, it's probably possible with the other mail systems.
Regards
Yordan

Oh okey that was clear...

However, my most concern is on how to make things in a way that I could not receive those emails anymore.

Yes I know that anybody will recommend using antivirus programs but how would you recommend on how to avoid receiving such things from those email addresses...

Thanks a lot...

Thanks for that helpful information yordan...

I have checked my system based on that information and the results are as follows:

On
Do I need to change the values to the default setting? If so, what are the default values of UACDisableNotify and EnableLUA?

However, I still kept receiving the same email from google today...

My other co-workers also received some emails from e-cards@hallmark.com, resume-thanks@google.com,
update@facebookmail.com and invitations@twitter.com...

Ouch! I did not really ask you to manually change the registry settings. I just wanted you to have a look at the McAfee site I mentionned, and check that symptoms like registry settings and files in folders were present.
Then, my real advice was "buy a real professional Antivirus system", and on that precise case McAfee has proved that he was efficient.
You can try the online free McAfee virus check, unfortunately I guess they will just tell you "hey, you have a problem, here it is, buy our software in order to fix it".
Now you know that you have the problem, you can try their competitors in the free market. I would start with ClamWinPortable, install the portable version, accept the database update, and perform a full scan of your c: disk, I guess it should at least find and remove the binary worm files.

Thanks for that helpful information yordan...

I have checked my system based on that information and the results are as follows:

On

The Worm disables the windows User Access Control (UAC) alerts by adding the following value to the registry key.

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\]
UACDisableNotify="1"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
EnableLUA="0"

Do I need to change the values to the default setting? If so, what are the default values of UACDisableNotify and EnableLUA?

However, I still kept receiving the same email from google today...

My other co-workers also received some emails from e-cards@hallmark.com, resume-thanks@google.com,
update@facebookmail.com and invitations@twitter.com...

ah so thats whats sending those mails, that i would imagine would explain why it has a google adrees. afterall a worm would be easily able to change the send address afterall, the address that the end user sees might not be the same one as was used to send the mail. all likelyhood would be that the worm changed the address of the sender before it got sent out. you say thats impossible but it is only data so a worm coded to send this mail will have the required code to change the send address. it makes me wonder if the original address is hidden. i d also reccomend informing google since their filters need updating, i think google should have all files scanned beofre they come to your inbox so if they are dangerous they get flagged somehow.

It's a know worm, named Generic.dx!uap, have a look here : http://vil.nai.com/v...nt/v_285399.htm

Propagation via Email:

The worm uses its own SMTP engine to send email message with a copy of itself as attachment. The email attachments may be from any of the following address.

• e-cards@hallmark.com
• order-update@amazon.com
• resume-thanks@google.com
• thomas.gimpel@ferrari.de
• update@facebookmail.com
• invitations@twitter.com

<h4 class="tabsection-title">Characteristics -</h4>Generic.dx!uap" is worm that may propagate via Email, removable drives or network shares. Also, it drops and executes other malware.

When executed, the Worm connects to the site "whatismyip.com" to retrieve the IP address of the victim’s machine, and it injects the malicious code into the running process "explorer.exe" and using that, it connects to the DNS "120107d[removed]workofart.net" through the remote port 80.

The following files have been dropped into the system:

• %Temp%\IXP000.TMP\document.exe [Detected as W32/Xirtem@MM]
• %WINDIR%\system32\hp-513.exe [Detected as Hiloti.gen.e]
• %WINDIR%\kbanet40.dll [Detected as Hiloti.gen.e]

And the dropped file "document.exe" copies itself into the following locations:

• %WINDIR%\system32\HPWuSchedv.exe [Detected as W32/Xirtem@MM]
• [Removable Drive]:\RECYCLER\S-1-6-(Varies)\redmond.exe [Detected as W32/Xirtem@MM]

Also, it attempts to create an autorun.inf file on the root any accessible disk volume

[Removable Drive]:\autorun.inf

The following folder has been added to the system:

• %Temp%\IXP000.TMP

The following registry Keys have been added to the system:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Cyojileki
• HKEY_LOCAL_MACHINE\SOFTWARE\HP145
• HKEY_USERS\S-1-5-21-(Varies)\Software\HP145

The following registry values have been added to the system:

The Worm disables the windows User Access Control (UAC) alerts by adding the following value to the registry key.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\]
  UACDisableNotify="1"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
  EnableLUA="0"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Cyojileki\]
  Hdicu="168"

The Worm registers itself as an authorized application with the Windows Firewall by adding the following registry entry:

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
  %WINDIR%\system32\HPWuSchedv.exe="%WINDIR%\system32\HPWuSchedv.exe:*:Enabled:Explorer"

The following registry entries confirm that the worm execute on every time when windows start.

• [HKEY_USERS\S-1-5-21-Varies\Software\Microsoft\Windows\CurrentVersion\Run\]
  HP Software Updater v2.7="%WINDIR%\system32\HPWuSchedv.exe"
• [HKEY_USERS\S-1-5-21-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
  Fgoroxir="rundll32.exe "%WINDIR%\kbanet40.dll",Startup"

The following registries have been modified into the system:

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\]
  Start="4"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\]
  Start="4"

The above mentioned registry entries confirm that, the worm disables the Error Reporting Service (ERSvc) and Windows Security Center service (Wscsvc) respectively.

It's removed by McAfee, have a look with your own Anti-Virus program - it's a good test!