Re: [Full-Disclosure] Has anyone seen this in their e-mail

Tue, 09 Mar 2004 10:54:20 -0800

Aschwin Wesselius wrote: 
On Tue, 2004-03-09 at 01:44, Edward W. Ray wrote:
  
This e-mail was addressed to my mail server.  It even looked 
authentic, but since my mail server never sends me zip attachments I 
thought it strange.

Please be careful when opening.  The zip file contains an executable,
and I would assume it is some kind of virus or worm.

Has anyone else seen something similar?

Regards,

Edward W. Ray

    

Yeah, this looks like one I've got yesterday too. 

The message was different and even the password was different (clever
virus-writer huh). I bet it is a Bagle.Gen-zippwd (who gives them names
actually?) sort of worm, but am not sure. 

I dare not to open it at all. At least my ClamAssassin fetched it and
sorted it into my Virus folder. This means that ClamAV (for Linux)
recognizes it as a worm/virus

Kind regards,

Aschwin Wesselius

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
I Suspect that it is a targetted long term attack
against higher targets
see the one below from march 3,2004

I saw this one the other day
I thought the guys I hosted with wrote better english
Suspicious fromthe start

From - Wed Mar  3 08:48:00 2004
X-UIDL: &jJ"!-ek"!S[/"!8>c!!
X-Mozilla-Status: 1001
X-Mozilla-Status2: 10000000
Return-Path: <[EMAIL PROTECTED]>
Received: from techsp05 ([203.177.127.113])
	by changed.not (8.10.2/8.9.3) with SMTP id i23CZqe08455
	for <[EMAIL PROTECTED]>; Wed, 3 Mar 2004 08:35:53 -0400
Date: Wed, 03 Mar 2004 20:43:45 +0800
To: [EMAIL PROTECTED]
Subject: Notify about using the e-mail account.
From: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="--------iwmrgskpbqjqjvtotrwg"
X-UIDL: &jJ"!-ek"!S[/"!8>c!!

----------iwmrgskpbqjqjvtotrwg
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Dear user  of e-mail server "mydomain.xx",

Our main  mailing server will  be temporary unavaible for next two days, 
to continue receiving mail in these days you have  to configure our free
auto-forwarding  service.

For details see the attached file.

Attached file protected with the  password for security reasons.  Password is 55366.

Cheers,
     The mydomain team                                http://www.mydomain

----------iwmrgskpbqjqjvtotrwg
Content-Type: application/octet-stream; name="TextDocument.zap"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="TextDocument.zap"

some zipped bad file here=

----------iwmrgskpbqjqjvtotrwg--

Reply via email to