On Tuesday 30 March 2004 3:19 am, Nick Leverton wrote: > On Tue, Mar 30, 2004 at 03:14:47AM -0800, Tom Emerson wrote: > > In any case, it is one to watch for [or rather, to watch for your friends > > running "that rather susceptible system"] > > I would love to, but whilst you gave us snippets, you haven't given us > the mail itself to see and try out !
well, I wouldn't want to intentionally submit a virus to an e-mail reflector,
now would I? :) That said, here is the content of the message [sans nasty
attachment] for your enjoyment:
-------the message--------
Return-Path: <[EMAIL PROTECTED]>
Received: from postoffice.pacbell.net [207.115.63.79]
by localhost with POP3 (fetchmail-6.2.3)
for [EMAIL PROTECTED] (single-drop); Mon, 29 Mar 2004 11:19:35 -0800
(PST)
Received: from vmj-ext.prodigy.net by vmj with SMTP; Mon, 29 Mar 2004 14:11:57
-0500
X-Originating-IP: [156.63.253.3]
Received: from pacbell.net (pix-n253-3.treca.org [156.63.253.3])
by vmj-ext.prodigy.net (8.12.10/8.12.10) with ESMTP id i2TJBtrf044712
for <[EMAIL PROTECTED]>; Mon, 29 Mar 2004 14:11:56 -0500
Message-Id: <[EMAIL PROTECTED]>
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: Submit a Virus Sample
Date: Mon, 29 Mar 2004 14:10:51 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
X-Priority: 3
X-MSMail-Priority: Normal
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on osnut.homelinux.net
X-Spam-Status: No, hits=1.5 required=5.0 tests=BAYES_50,MIME_BOUND_NEXTPART,
MISSING_MIMEOLE,NO_REAL_NAME,PRIORITY_NO_NAME autolearn=no
version=2.63
X-Spam-Level: *
X-UIDL: BZ<!!lB/"!HSZ"!>A3!!
Status: RO
X-Status: R
This is a multi-part message in MIME format.
------=_NextPart_000_0016----=_NextPart_000_0016
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Subject:
The sample file you sent contains a new virus version of buppa.k.
Please update your virus scanner with the attached dat file.
Best Regards,
Keria Reynolds
------=_NextPart_000_0016----=_NextPart_000_0016
Content-Type: application/octet-stream;
name="signature_osnut.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="signature_osnut.zip"
[virus snipped]
-------end of message-------
I've stripped out a couple of "received" and X-kmail-* headers as these are
internal to my system / would be on all messages / would have no meaning to
folks outside of my system -- I debated about removing the X-spam headers,
but thought those might actually be useful for others to analyze/consider.
--
Top o' the Blog: Google Nirvana gone bye-bye?
http://osnut.homelinux.net/mtblog/ya_index.html
pgpHVIfJScllK.pgp
Description: signature
