On Thursday 13 November 2003 04:43 pm, Larry Hand wrote: > Anyone else seeing this? It comes with an attachment Paypal.asp.scr. > Anyone know what it is? It sure looks suspicious.
And a bunch of people answered! Thanks to you all. Thanks for the links. I expect it's that MiMail trojan. It's rare that a virus gets through the filters here. Apparently it's a new variant which slipped in before the newest AV signature updates were installed. Since NAI didn't find out about it until today, I guess that's reasonable :-) As for the yahoo involvement, my headers (I should have included the full headers the first time, oops, my bad.) were: >From [EMAIL PROTECTED] Fri Nov 14 00:29:00 2003 Received: from 62.42.15.89 [62.42.15.89] by co.la.ca.us (SMTPD32-6.06) id A23C519B00DE; Thu, 13 Nov 2003 16:30:52 -0800 Date: Fri, 14 Nov 2003 03:29:00 -0500 From: PayPal.com <[EMAIL PROTECTED]> X-Mailer: Microsoft Outlook Express 6.00.2800.1106 Reply-To: [EMAIL PROTECTED] Organization: None X-Priority: 1 (High) To: [EMAIL PROTECTED] Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------716A2B1C01688342" Message-Id: <[EMAIL PROTECTED]> X-RCPT-TO: <[EMAIL PROTECTED]> X-UIDL: 294245102 Status: R X-Status: N The author did a pretty good job of hiding his tracks. Only the IP address (VA1-1D-u-0856.mc.onolab.com. apparently from spain) and the fact that it was sent by Outlook Express gives a hint that it didn't really come from paypal. A few people asked for the file. I've attached it as suggested: zipped and encrypted with "infected" as the password. Thanks again for all the help.
paypal.zip
Description: paypal attachment
