porndialer spam trips up zonealarm

From: Beemer Biker (antispam@sbcglobal.net)
Date: 06/19/02 

From: "Beemer Biker" <antispam@sbcglobal.net>
Date: Wed, 19 Jun 2002 01:55:56 GMT

I got in a porndialler spam that contains a gif (in addition to the
".cab" an ".exe" porndialer). It was javascript that was not executed
and I just viewed the js source. Unaccountable my zonealarm pro 3
attempted to quarantine the gif. I say unaccountably because of the
47 extensions that are quaranteenable neither "gif" nor "jpeg",etc. is
one of them. This is what I saw in Zalog.txt (copied and pasted
below)

MS,2002/06/16,12:36:00 -5:00 GMT,Outlook Express,Renamed email
attachment C:\DOCUME~1\HOMEUS~1\LOCALS~1\Temp\nsmailC7.gif to
CDOCUME~1HOMEUS~1LOCALS~1TempnsmailC7.gif,N/A

Notice that there are no "\" in the destination operand nor is there
an extension ie: ".z19" or whatever. In addtion, there is *NO*
directory "HOMEUS~1" in my "Documents and Settings" directory. Not
even a hidden one. I did a grep of "rename" in my zonealarm log
directory. There are *NO* other renames that use directory paths.
This is really suspicious and I put the results (of the grep) here
http://pages.sbcglobal.net/jstateson/misc/za_mv_list.txt

The reason I say it "tripped up" zonealarm is because zonealarm never
released the gif. ZA showed constant download activitity that would
not stop when I attempted to shut down Outlook Express (v2600 with all
security updates & McAfee Corporate 4.5.1SP1 w/latest data). I had to
terminate OE twice with the task manager and eventually rebooted the
system (w2ksp2). When I finally recovered the porndialer spam was the
only new email in the pop3 account and there was *NO* attachement. I
only found out about the attachment when I reviewed the alert log.
That was one of the first thing I looked at after rebooting.

Is this a bug in ZA? ie: attempting to rename a ".gif"? I emailed
myself a gif and did *NOT* observe any rename. The dummy gif arrived
just fine and I was unable to duplicate the problem with OE hanging up
when downloading the gif. I did a search thru google of "zonelarm
rename gif" and saw nothing particularly interesting.

Could this be an exploit? could the filename have been in hex such as
"C%3A%5CDOCUME~1..." which then became "C:\DOCUME~1" which might "do
something"?

Has anyone seen anything like this before?

The spam can be reviewed here:
http://makeashorterlink.com/?M42223611

There is a discussion about the spam here:
http://makeashorterlink.com/?H46215611 

--
==============================================================
Beemer   Biker       antispam@sbcglobal.net
13.8K seti units, 20.6 years            Ask about my 99'R1100RT
==============================================================