Strange mail - maybe password stealing trojan

[Alexander Talos <alexander.talos () UNIVIE AC AT>]

Hej!

I just stumbled over a doublebounce that I suspect to be the output of
some kind of trojan, perhaps some freeporn viewer/downloader. I could
not find any related info on deja^H^H^H^Hgoogle.com etc. According to
the logs, the first mail of that kind was sent through our servers on 6
Nov 2000. Here's the mail that bounced:

Return-Path: <john () email com>
Received: from LMD (xxx.univie.ac.at [193.170.x.x])
        by mailbox.univie.ac.at (8.11.2/8.11.2) with SMTP id
f1F9icu132040
        for mayday77 () hotmail com; Thu, 15 Feb 2001 10:44:39 +0100
Date: Thu, 15 Feb 2001 10:44:39 +0100
Message-Id: <200102150944.f1F9icu132040 () mailbox univie ac at>
From: xxxx
Subject: xxxx@ xxxx.univie.ac.at [193.170.x.x]193.170.x.x


 2c37 77freesex.exe
D:\WIN95\DLLDEBU.EXE
195.90.214.15/live-chat-strip : KEVIN!:42q53q456
www.link.springer.de/link : uni:dd
MAPI : MAPI
195.90.214.15/live-chat-strip : KEVIN!:42q53q456
www.link.springer.de/link : uni:dd
MAPI : MAPI
98 |4:10:67766222
 :

Curiously, I could find only one PC sending mails with a reverse-path of
<john () email com> in our not so small network. Hence, I don't think that
supposed trojan is very widespread, but maybe still worth mentioning.

Regards,

  Alexander