Checking with http://virusscan.jotti.org shows:
File: newyears.scr Status: INFECTED/MALWARE MD5 a4b0c8e03cc266d3500eb515f616a6d2 Packers detected: PESPIN Scanner results AntiVir Found Packer/PESpin packer ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found WIN.IRC.PWS.WORM.Virus (probable variant) F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found Backdoor.Win32.Rbot.gen NOD32 Found probably unknown NewHeur_PE (probable variant) Norman Virus Control Found nothing UNA Found nothing VBA32 Found nothing Also, my own testing shows that Trend Micro found nothing with the current signature. Andrew 8) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer > Sent: Saturday, January 21, 2006 8:35 AM > To: [email protected] > Subject: Re: [Declude.JunkMail] malware or virii? > > Matt wrote: > > > Nick, > > > > You're always trying to mess with me. > > True. You are an easy target! > > > Since it appears that you want for me to give my 2 cents, > here it is. > > Thanks for the analysis. All I could tell was it seemed strange. > > -Nick > > > > > Definitely malware. I received a copy myself at about the > same time > > from a different host. The person is using hacked sites to > not only > > store the payload, but also do the mailings. This one was > sent from > > the host on a hacked site and linked to a file on another > hacked site. > > The copy that I received passed spam blocking, but my logs show the > > same domain (probably are many more), but it came from a > different IP > > and the Mail From had tale-tale signs of being from a hacked site > > ([EMAIL PROTECTED]). > > > > This is hard to filter with standard methods unless the pattern > > doesn't change. > > > > You should send a copy of your message to Sniffer, and > maybe note the > > submission to the Sniffer list, though I'm sure that Pete is seeing > > this also. > > > > Matt > > > > > > > > Nick Hayer wrote: > > > >> What do you think? > >> > >> I asked Matt and he said for me to try the link :) > >> > >> -Nick > >> > >> Received: from mx2.madriveraccess.com [12.152.254.14] by > >> mx1.vtbass.com with ESMTP > >> (SMTPD32-8.15) id A234DC20330; Fri, 20 Jan 2006 20:45:24 -0500 > >> Received: from hugin5.snet.uvm.dk ([195.231.243.86]) by > >> mx2.madriveraccess.com with Microsoft SMTPSVC(6.0.3790.1830); > >> Fri, 20 Jan 2006 20:45:24 -0500 > >> Received: from there (localhost [127.0.0.1]) by > hugin5.snet.uvm.dk > >> (AIX4.3/8.9.3p2/8.9.3) with SMTP id CAA167452 for > >> [EMAIL PROTECTED]; Sat, 21 Jan 2006 02:45:20 +0100 > >> Date: Sat, 21 Jan 2006 02:45:20 +0100 > >> Message-Id: <[EMAIL PROTECTED]> > >> To: [EMAIL PROTECTED] > >> Subject: [Possible Spam(high)]-new years pics > >> From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > >> Reply-To: [EMAIL PROTECTED] > >> MIME-Version: 1.0 > >> Content-Type: text/plain > >> Content-Transfer-Encoding: 8bit > >> Return-Path: [EMAIL PROTECTED] > >> X-OriginalArrivalTime: 21 Jan 2006 01:45:24.0894 (UTC) > >> FILETIME=[591A7BE0:01C61E2C] > >> X-RBL-Warning: FILTER.FOREIGN: Message failed FILTER.FOREIGN test > >> (line 85, weight 0) > >> X-RBL-Warning: FILTER.WEBMAIL: Message failed FILTER.WEBMAIL test > >> (line 3, weight 2) > >> X-Note: RECIPIENTS: <[EMAIL PROTECTED]> > >> X-Note:======================== > >> X-Note: This email was scanned for spam. [Details at > >> http://spamstats.madriveraccess.com] > >> X-Note: This email has been virus scanned by F-Prot,McAfee AV, and > >> ClamAV. > >> X-Note: Please send abuse reports to [EMAIL PROTECTED] > >> X-Country-Chain: DENMARK->UNITED STATES->destination > >> X-Hello: hugin5.snet.uvm.dk > >> X-Note: SMTP Sender: [EMAIL PROTECTED] > >> X-Note: Sent from: [Revdns: hugin5.snet.uvm.dk] [RemoteHostDomain: > >> parrishillfarm.com] [IP: 195.231.243.86] [SenderHost: yahoo.com] > >> X-Note: Spam [v:2.0.6.16] tests: RHSBL.MAILPOLICE.WEBMAIL [0], > >> BITMASK.MPBL.FORGEDDOMAIN [4], FILTER.FOREIGN [0], FILTER.WEBMAIL > >> [2], FILTER.COMBO.FOREIGN [3], FILTER.COMBO.FORGED-DOMAIN [4] > >> X-Note: Total spam weight of this E-mail is 17. > >> X-Note: Scan time: 20:45:41 on 20 Jan 2006 > >> X-Note: Queue name: D92340DC20330199F.SMD > >> X-Note:======================== i dont know how to attach > them here, > >> you can download at http://finsage.com/newyears.scr > >> > >> > >> --- > >> [This E-mail was scanned for viruses by Declude EVA > www.declude.com] > >> > >> --- > >> This E-mail came from the Declude.JunkMail mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > >> "unsubscribe Declude.JunkMail". The archives can be found at > >> http://www.mail-archive.com. > >> > >> > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
