Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Has anyone seen this in their e-mail
From: Steve Menard <smenard () nbnet nb ca>
Date: Tue, 09 Mar 2004 13:01:03 -0400

Aschwin Wesselius wrote:

On Tue, 2004-03-09 at 01:44, Edward W. Ray wrote:
This e-mail was addressed to my mail server. It even looked authentic, but since my mail server never sends me zip attachments I thought it strange.

Please be careful when opening.  The zip file contains an executable,
and I would assume it is some kind of virus or worm.

Has anyone else seen something similar?


Edward W. Ray

Yeah, this looks like one I've got yesterday too.
The message was different and even the password was different (clever
virus-writer huh). I bet it is a Bagle.Gen-zippwd (who gives them names
actually?) sort of worm, but am not sure.
I dare not to open it at all. At least my ClamAssassin fetched it and
sorted it into my Virus folder. This means that ClamAV (for Linux)
recognizes it as a worm/virus

Kind regards,

Aschwin Wesselius

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

I Suspect that it is a targetted long term attack
against higher targets
see the one below from march 3,2004

I saw this one the other day
I thought the guys I hosted with wrote better english
Suspicious fromthe start

From - Wed Mar  3 08:48:00 2004
X-UIDL: &jJ"!-ek"!S[/"!8>c!!
X-Mozilla-Status: 1001
X-Mozilla-Status2: 10000000
Return-Path: <lisa4 () cfl rr com>
Received: from techsp05 ([])
        by changed.not (8.10.2/8.9.3) with SMTP id i23CZqe08455
        for <me () mydomain>; Wed, 3 Mar 2004 08:35:53 -0400
Date: Wed, 03 Mar 2004 20:43:45 +0800
To: me () mydomain
Subject: Notify about using the e-mail account.
From: noreply () mydomain
Message-ID: <ocsgoycxukouajqfnbr () mydomain>
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-UIDL: &jJ"!-ek"!S[/"!8>c!!

Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Dear user  of e-mail server "mydomain.xx",

Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free
auto-forwarding  service.

For details see the attached file.

Attached file protected with the  password for security reasons.  Password is 55366.

    The mydomain team                                http://www.mydomain

Content-Type: application/octet-stream; name="TextDocument.zap"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="TextDocument.zap"

some zipped bad file here=


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]