Full Disclosure mailing list archives
Re: Has anyone seen this in their e-mail
From: Steve Menard <smenard () nbnet nb ca>
Date: Tue, 09 Mar 2004 13:01:03 -0400
Aschwin Wesselius wrote:
On Tue, 2004-03-09 at 01:44, Edward W. Ray wrote:This e-mail was addressed to my mail server. It even looked authentic, but since my mail server never sends me zip attachments I thought it strange.Please be careful when opening. The zip file contains an executable, and I would assume it is some kind of virus or worm. Has anyone else seen something similar? Regards, Edward W. RayYeah, this looks like one I've got yesterday too.The message was different and even the password was different (clever virus-writer huh). I bet it is a Bagle.Gen-zippwd (who gives them namesactually?) sort of worm, but am not sure.I dare not to open it at all. At least my ClamAssassin fetched it and sorted it into my Virus folder. This means that ClamAV (for Linux) recognizes it as a worm/virus Kind regards, Aschwin Wesselius _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
I Suspect that it is a targetted long term attack against higher targets see the one below from march 3,2004 I saw this one the other day I thought the guys I hosted with wrote better english Suspicious fromthe start
From - Wed Mar 3 08:48:00 2004
X-UIDL: &jJ"!-ek"!S[/"!8>c!! X-Mozilla-Status: 1001 X-Mozilla-Status2: 10000000 Return-Path: <lisa4 () cfl rr com> Received: from techsp05 ([203.177.127.113]) by changed.not (8.10.2/8.9.3) with SMTP id i23CZqe08455 for <me@mydomain>; Wed, 3 Mar 2004 08:35:53 -0400 Date: Wed, 03 Mar 2004 20:43:45 +0800 To: me@mydomain Subject: Notify about using the e-mail account. From: noreply@mydomain Message-ID: <ocsgoycxukouajqfnbr@mydomain> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------iwmrgskpbqjqjvtotrwg" X-UIDL: &jJ"!-ek"!S[/"!8>c!! ----------iwmrgskpbqjqjvtotrwg Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Dear user of e-mail server "mydomain.xx",Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free
auto-forwarding service. For details see the attached file. Attached file protected with the password for security reasons. Password is 55366. Cheers, The mydomain team http://www.mydomain ----------iwmrgskpbqjqjvtotrwg Content-Type: application/octet-stream; name="TextDocument.zap" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="TextDocument.zap" some zipped bad file here= ----------iwmrgskpbqjqjvtotrwg--
Current thread:
- Re: Has anyone seen this in their e-mail, (continued)
- Re: Has anyone seen this in their e-mail Aschwin Wesselius (Mar 09)
- RE: Has anyone seen this in their e-mail Aditya, ALD [Aditya Lalit Deshmukh] (Mar 10)
- Re: [11:30:44 security.rc] RE: Has anyone seen this in their e-mail Aschwin Wesselius (Mar 10)
- RE: Has anyone seen this in their e-mail Nick FitzGerald (Mar 10)
- RE: Has anyone seen this in their e-mail Aditya, ALD [Aditya Lalit Deshmukh] (Mar 10)
- Re: Has anyone seen this in their e-mail mjcarter (Mar 08)
- RE: Has anyone seen this in their e-mail WolfgangK (Mar 09)
- Re: Has anyone seen this in their e-mail eflorio (Mar 09)
- RE: Has anyone seen this in their e-mail eflorio (Mar 09)
- Re: Has anyone seen this in their e-mail Aschwin Wesselius (Mar 09)
- Re: Has anyone seen this in their e-mail Aschwin Wesselius (Mar 09)
- Re: Has anyone seen this in their e-mail Steve Menard (Mar 09)
- Re: Has anyone seen this in their e-mail Steve Menard (Mar 09)
- Re: Has anyone seen this in their e-mail Nick FitzGerald (Mar 10)
- Re: Has anyone seen this in their e-mail Steve Menard (Mar 09)
- RE: Has anyone seen this in their e-mail Andry_Christian/JKT/INDOFOOD (Mar 09)
- Re: Has anyone seen this in their e-mail Aschwin Wesselius (Mar 09)
- Re: Has anyone seen this in their e-mail Aschwin Wesselius (Mar 09)