Re: viruses from mailinglist

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello List,

today we (a friend and me) recieved an eMail with a zipped windows
executable.

[eMail]
Dear user of e-mail server "Initdefault.de",

Your e-mail account  has been temporary disabled because  of
unauthorized access.

For details  see  the  attached file.

Attached file protected with the password for  security reasons. 
Password  is 40403.

Kind regards,
    The Initdefault.de  team                              
http://www.initdefault.de
[/eMail]


I unpacked it and used strings on it:

[code]
1.24
UPX!
=`q@
VWS?
SV23
	0vm
vkU}
#64={c
Fc`1
6;[,
jd n
/Ih	
2`d0
VukxV4
gE#D
3Y(|
 @E 
davh8
m*+k
3R1j
`?XRN`
\SWh
1hl]
/6Ys
?sra
!t{5P
!}8SnB	
9vqH
*g^}
.{|xJN
8-updt
delt	@
jZ>{%4I
h*kv
o1@@
D%fO
-Q/R#
e,%`
QR6a
}6ZB
x<CNG
8+c$
E/(,@
f'fZf;U
PGX=
=220;
G+,6
h_R+
^p>354s]
+}JOX
4VD^
r9Ko
Qz.O
{"H0}
<9v$<A
:Huj.#
@u~'#
_ZWR
ZB,4
"Pjm
%EWzWh
{R6@
R,fgUif
RAV4
hCg@
G=iVh
FmAi
lfpb
.>N^4
XRP'[
cS&[
({BPk
VVV/R_
Kx `1~
3-c6
]}'jv
,048
<@DH
LPTX
\`dh
lptx
$Q222
 XT>
LQHQDQ
|@QpQlQhQ
dQ`Q\Q
,Q0Q4Q8P
.200.39
SOFTWARE\
DateTime
ss	.ex\irun4w
ATUPD
ER.EXE
LUALL
	DRWEB
WICSS
GRAD
TODOWN
)VXQ=
ACFI
v>TPOSThVLTM
http://pos
rtog.
de/scr.php
.gfotxt
.net
maiklibis=?D
%s?p=%luH
Mi#poft\Windo/
ws\CurrentV
sion\R
opzy;l
pifzip6
uplda
)C: 
To	HELO 
RSET
L FROM:<
CPT x
[%TND%]
l.com
avp.
ocal
xmldbxd
nchmf,ods
v!adIbNshueIxk
&gii
 Off
e =03 Crack, W
mk.g!y)XP w
f /Keyg
d3-<5P
B  S:e
alan< c
hiA x
SMi5sT
n Lo
h6 B
l[erUa
ia 8 New!Amp 5 P
$66M
D9 full
CD	,9
',' 
H:P:s
;Ez::$2
F_m	
G2MIME-
-TypYR
pMS1
y="-
Q"do
<t@us-
cii"-
t_ap\Zk<lea
64"D
<Ok1
 zcouqc
ta e7
&W/'yu
)3B"Imwaen%l 
Y0	zz
" He
sy'm!l	
 kuw9
~m*	I
ORPn
l@VBv
c%Bu 
f19g
KwVz
@j&B 
nsuc
eds_
_mm$
ago9lf
Jp6la
^3)I
b`y,
pxy-
$SAI
v%wb
2co_
.PTA:e
UT#a 
l:KKj1
RUPDo
Findrs
Comma
ngs3M
odu59NamGS
JckC
Klob
MapView
;C#s
Y[ECO
]T!m{
Wait-Sv
Ex	p;[
re(l`rc`
S	mpi
py	s
prc`u
ciB&h
ptgDwAV
@gJS
OnHyhx
S<l;
}DupA
RC=	TriO
UppO
mZ"p
k3nn
qU6Y
trtu
!+!s
v0li
\xyPEL
bdEd
=o`g
L@W.
KERNEL32.DLL
advapi32.dll
iphlpapi.dll
ole32.dll
SHELL32.dll
shlwapi.dll
urlmon.dll
user32.dll
wininet.dll
wsock32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
GetNetworkParams
CoInitialize
ShellExecuteA
StrDupA
URLDownloadToFileA
wsprintfA
InternetOpenA
bind

[/code]

Seems like worm code to me ;) (just guessing, because of the SMTP
commands and the DLL names)

The eMail headers gave me following eMail address, which is registered
here in the list: 

aamehl@xxxxxxxxxxxx

I informed the user, that he or she will please check his system.

Any others with simmilar eMails?

regards: Bernd


sorry for my bad english, hope you can read it :)



Am Die, 2004-02-24 um 14.57 schrieb Joolz:
> Since a week or so I keep getting lots of email from the list with 29K
> zip attachments. AFAIK these are viruses (Mydoom?).
> 
> They don't hurt my system, procmail handles them. But wouldn't it be
> better to filter these out before they get sent to the mailinglist?
> 
> Thanks!
> 
> -- 
> 14:53-14:57
> Fedora Core release 1 (Yarrow) Linux 2.4.22-1.2174.nptl
> 




[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux