Bernd Kauling wrote:
Hello List,
today we (a friend and me) recieved an eMail with a zipped windows executable.
[eMail] Dear user of e-mail server "Initdefault.de",
Your e-mail account has been temporary disabled because of unauthorized access.
For details see the attached file.
Attached file protected with the password for security reasons. Password is 40403.
Kind regards,
The Initdefault.de team http://www.initdefault.de
[/eMail]
I unpacked it and used strings on it:
[code]
1.24
UPX!
=`q@
VWS?
SV23
0vm
vkU}
#64={c
Fc`1
6;[,
jd n
/Ih
2`d0
VukxV4
gE#D
3Y(|
@E davh8
m*+k
3R1j
`?XRN`
\SWh
1hl]
/6Ys
?sra
!t{5P
!}8SnB
9vqH
*g^}
.{|xJN
8-updt
delt @
jZ>{%4I
h*kv
o1@@
D%fO
-Q/R#
e,%`
QR6a
}6ZB
x<CNG
8+c$
E/(,@
f'fZf;U
PGX=
=220;
G+,6
h_R+
^p>354s]
+}JOX
4VD^
r9Ko
Qz.O
{"H0}
<9v$<A
:Huj.#
@u~'#
_ZWR
ZB,4
"Pjm
%EWzWh
{R6@
R,fgUif
RAV4
hCg@
G=iVh
FmAi
lfpb
.>N^4
XRP'[
cS&[
({BPk
VVV/R_
Kx `1~
3-c6
]}'jv
,048
<@DH
LPTX
\`dh
lptx
$Q222
XT>
LQHQDQ
|@QpQlQhQ
dQ`Q\Q
,Q0Q4Q8P
.200.39
SOFTWARE\
DateTime
ss .ex\irun4w
ATUPD
ER.EXE
LUALL
DRWEB
WICSS
GRAD
TODOWN
)VXQ=
ACFI
v>TPOSThVLTM
http://pos
rtog.
de/scr.php
.gfotxt
.net
maiklibis=?D
%s?p=%luH
Mi#poft\Windo/
ws\CurrentV
sion\R
opzy;l
pifzip6
uplda
)C: To HELO RSET
L FROM:<
CPT x
[%TND%]
l.com
avp.
ocal
xmldbxd
nchmf,ods
v!adIbNshueIxk
&gii
Off
e =03 Crack, W
mk.g!y)XP w
f /Keyg
d3-<5P
B S:e
alan< c
hiA x
SMi5sT
n Lo
h6 B
l[erUa
ia 8 New!Amp 5 P
$66M
D9 full
CD ,9
',' H:P:s
;Ez::$2
F_m
G2MIME-
-TypYR
pMS1
y="-
Q"do
<t@us-
cii"-
t_ap\Zk<lea
64"D
<Ok1
zcouqc
ta e7
&W/'yu
)3B"Imwaen%l Y0 zz
" He
sy'm!l
kuw9
~m* I
ORPn
l@VBv
c%Bu f19g
KwVz
@j&B nsuc
eds_
_mm$
ago9lf
Jp6la
^3)I
b`y,
pxy-
$SAI
v%wb
2co_
.PTA:e
UT#a l:KKj1
RUPDo
Findrs
Comma
ngs3M
odu59NamGS
JckC
Klob
MapView
;C#s
Y[ECO
]T!m{
Wait-Sv
Ex p;[
re(l`rc`
S mpi
py s
prc`u
ciB&h
ptgDwAV
@gJS
OnHyhx
S<l;
}DupA
RC= TriO
UppO
mZ"p
k3nn
qU6Y
trtu
!+!s
v0li
\xyPEL
bdEd
=o`g
L@W.
KERNEL32.DLL
advapi32.dll
iphlpapi.dll
ole32.dll
SHELL32.dll
shlwapi.dll
urlmon.dll
user32.dll
wininet.dll
wsock32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
GetNetworkParams
CoInitialize
ShellExecuteA
StrDupA
URLDownloadToFileA
wsprintfA
InternetOpenA
bind
[/code]
Seems like worm code to me ;) (just guessing, because of the SMTP commands and the DLL names)
The eMail headers gave me following eMail address, which is registered
here in the list:
aamehl@xxxxxxxxxxxx
I informed the user, that he or she will please check his system.
Any others with simmilar eMails?
regards: Bernd
sorry for my bad english, hope you can read it :)
Am Die, 2004-02-24 um 14.57 schrieb Joolz:
Since a week or so I keep getting lots of email from the list with 29K zip attachments. AFAIK these are viruses (Mydoom?).
They don't hurt my system, procmail handles them. But wouldn't it be better to filter these out before they get sent to the mailinglist?
Thanks!
-- 14:53-14:57 Fedora Core release 1 (Yarrow) Linux 2.4.22-1.2174.nptl
Thanks for posting what was in the zip. I never opened it to see.
I was passing on the blinux-list to a couple of friends that are blind. I had to also inform them that the zips contained a virus and not to open the attachments.
Having the virus containing posts within the list archive is probably not a good thing to have. If people that are running windows happen onto the site and open the attachments, it would not help with attempting to increase Linux usage numbers. That is, unless you tell them to download the installation iso files, instruct them on how to burn the CDs, before reading the archives.
I think the attachments ought to be at least dropped from the list archives.
Jim
