Full Disclosure mailing list archives
FW: Fake Email (Update)
From: "Tiago Halm" <thalm () netcabo pt>
Date: Fri, 27 Feb 2004 23:42:06 -0000
Got access to the attachment (was blocked by Outlook XP, but after adding a String REG key - HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security\Level1Remo ve - with value - exe - I got access to the attachment) Size: 74142 bytes Executed strings (ANSI and UNICODE) on it, but could not find anything relevant. Also ran DUMPBIN /ALL and saw only the following imports: Section contains the following imports: KERNEL32.DLL 44327C Import Address Table 0 Import Name Table 0 time date stamp 0 Index of first forwarder reference 0 LoadLibraryA 0 GetProcAddress 0 ExitProcess MSVBVM60.DLL 44328C Import Address Table 0 Import Name Table 0 time date stamp 0 Index of first forwarder reference Ordinal 581 Does anyone recognize something with this? I someone needs the attachment, I'll send it zipped by email. Regards, Tiago Halm -----Original Message----- From: Tiago Halm [mailto:thalm () netcabo pt] Sent: sexta-feira, 27 de Fevereiro de 2004 20:58 To: full-disclosure () lists netsys com Subject: Fake Email Hi, Just received an email from "me () microsoft com ve" with an attachment "remove-lsass_tool.exe" Headers: ---------------------------------------------------------------------- Received: from smtp.netcabo.pt ([192.168.16.2]) by VS2.hdi.tvcabo with Microsoft SMTPSVC(5.0.2195.6713); Thu, 26 Feb 2004 15:37:49 +0000 Received: from OEMCOMPUTER.ve ([80.104.215.25]) by smtp.netcabo.pt with Microsoft SMTPSVC(5.0.2195.6713); Thu, 26 Feb 2004 10:46:22 +0000 From: me () microsoft com ve To: thalm () netcabo pt Subject: a trojan is on your computer! Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MSMail-Priority: Normal Message-ID: <93210073709487.53933xsmail () microsoft com ve> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="d7a124be6069b8e" Return-Path: me () microsoft com ve X-OriginalArrivalTime: 26 Feb 2004 10:46:23.0617 (UTC) FILETIME=[C6EA4F10:01C3FC55] Date: 26 Feb 2004 10:46:23 +0000 ---------------------------------------------------------------------- Content: ---------------------------------------------------------------------- hello, I am from Denmark and you'll don't believe me, but a trojan horse in on your pc. I've scanned the network-ports on the internet. (I know, that's illegal) And I have found your pc. Your pc is open on the internet for everybody! Because the lsass.exe trojan is running on your system. Check this, open the task manager and try to stop that! You'll see, you can't stop this trojan. When you use win98/me you can't see the trojan!! On my system was this trojan, too! And I've found a tool to kill that bad thing. I hope that I've helped you! greets ---------------------------------------------------------------------- Anyone else got this too? If so, has somebody made any analisys on the attachment yet? The attachment was blocked, so I don't have access to it :( Regards, Tiago Halm _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Fake Email Tiago Halm (Feb 27)
- Re: Fake Email martin f krafft (Feb 27)
- FW: Fake Email (Update) Tiago Halm (Feb 27)
- Re: FW: Fake Email (Update) Nick FitzGerald (Feb 27)
- AW: FW: Fake Email (Update) iss (Feb 28)
- RE: FW: Fake Email (Update) Tiago Halm (Feb 28)
- Re: FW: Fake Email (Update) Nick FitzGerald (Feb 27)
- RE: Fake Email Patrick Nolan (Feb 27)
- RE: Fake Email Aditya, ALD [Aditya Lalit Deshmukh] (Feb 28)