Re: [newbie] virus infected file in cooker?

Sat, 17 Jan 2004 22:56:00 -0800 

On Sat, 17 Jan 2004 10:12:54 +0000
Anne Wilson <[EMAIL PROTECTED]> wrote:

> > > This file was downloaded from the mandrake cooker ftp site.
> > > The ultimate question is now, I wonder if my server is infected.
> >
> > It's just a text file that comes in the package. Since it's called
> > 'nimda', AVG is picking it up. It would pick up anything with the
> > word 'nimda'
> 
> Troy - I never saw your original mail.  Joe may well be right, but I'd 
> still ask the question at [EMAIL PROTECTED], just to be 
> sure.

Here's the contents of that file, if yer interested. I have it on my system.
It's an example of a mail which is infected with Nimbda, IIANM, since Nimbda
uses the 'iframe' exploit.

Received: from tom.interq.or.jp (tom.interq.or.jp [210.172.128.229])
        by imap.interq.or.jp  with ESMTP id f8J1sCHb006936
        for <[EMAIL PROTECTED]>;
        Wed, 19 Sep 2001 10:54:13 +0900 (JST)
Received: from master.debian.org ([EMAIL PROTECTED] [216.234.231.130])
        by tom.interq.or.jp  with ESMTP id f8J1sAS04533
        for <[EMAIL PROTECTED]>; ) Wed, 19 Sep 2001 10:54:11 +0900 (JST)
Date: Wed, 19 Sep 2001 10:54:11 +0900 (JST)
From: <[EMAIL PROTECTED]>
Subject: C:\WINNT\mmc.exebqinsghtmstaskicwconnhtml
helpdialerhypertrmgotodlgmsicwie6bakieexbqqviewie6bakeudcediticwdldwintlreadmeh
ypertrmmsicwnpbqv32hypertrmic$ MIME-Version: 1.0
Content-Type: multipart/related;
        type="multipart/alternative";
        boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
        boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
        name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

XXXX
--====_ABC1234567890DEF_====


-- 
JoeHill ++ ICQ # 280779813
Registered Linux user #282046
Homepage: www.orderinchaos.org
+++++++++++++++++++++++++++
"Superstition, idolatry, and hypocrisy have ample wages, but truth goes
a-begging."
-- Martin Luther


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Reply via email to