Hello List, today we (a friend and me) recieved an eMail with a zipped windows executable. [eMail] Dear user of e-mail server "Initdefault.de", Your e-mail account has been temporary disabled because of unauthorized access. For details see the attached file. Attached file protected with the password for security reasons. Password is 40403. Kind regards, The Initdefault.de team http://www.initdefault.de [/eMail] I unpacked it and used strings on it: [code] 1.24 UPX! =`q@ VWS? SV23 0vm vkU} #64={c Fc`1 6;[, jd n /Ih 2`d0 VukxV4 gE#D 3Y(| @E davh8 m*+k 3R1j `?XRN` \SWh 1hl] /6Ys ?sra !t{5P !}8SnB 9vqH *g^} .{|xJN 8-updt delt @ jZ>{%4I h*kv o1@@ D%fO -Q/R# e,%` QR6a }6ZB x<CNG 8+c$ E/(,@ f'fZf;U PGX= =220; G+,6 h_R+ ^p>354s] +}JOX 4VD^ r9Ko Qz.O {"H0} <9v$<A :Huj.# @u~'# _ZWR ZB,4 "Pjm %EWzWh {R6@ R,fgUif RAV4 hCg@ G=iVh FmAi lfpb .>N^4 XRP'[ cS&[ ({BPk VVV/R_ Kx `1~ 3-c6 ]}'jv ,048 <@DH LPTX \`dh lptx $Q222 XT> LQHQDQ |@QpQlQhQ dQ`Q\Q ,Q0Q4Q8P .200.39 SOFTWARE\ DateTime ss .ex\irun4w ATUPD ER.EXE LUALL DRWEB WICSS GRAD TODOWN )VXQ= ACFI v>TPOSThVLTM http://pos rtog. de/scr.php .gfotxt .net maiklibis=?D %s?p=%luH Mi#poft\Windo/ ws\CurrentV sion\R opzy;l pifzip6 uplda )C: To HELO RSET L FROM:< CPT x [%TND%] l.com avp. ocal xmldbxd nchmf,ods v!adIbNshueIxk &gii Off e =03 Crack, W mk.g!y)XP w f /Keyg d3-<5P B S:e alan< c hiA x SMi5sT n Lo h6 B l[erUa ia 8 New!Amp 5 P $66M D9 full CD ,9 ',' H:P:s ;Ez::$2 F_m G2MIME- -TypYR pMS1 y="- Q"do <t@us- cii"- t_ap\Zk<lea 64"D <Ok1 zcouqc ta e7 &W/'yu )3B"Imwaen%l Y0 zz " He sy'm!l kuw9 ~m* I ORPn l@VBv c%Bu f19g KwVz @j&B nsuc eds_ _mm$ ago9lf Jp6la ^3)I b`y, pxy- $SAI v%wb 2co_ .PTA:e UT#a l:KKj1 RUPDo Findrs Comma ngs3M odu59NamGS JckC Klob MapView ;C#s Y[ECO ]T!m{ Wait-Sv Ex p;[ re(l`rc` S mpi py s prc`u ciB&h ptgDwAV @gJS OnHyhx S<l; }DupA RC= TriO UppO mZ"p k3nn qU6Y trtu !+!s v0li \xyPEL bdEd =o`g L@W. KERNEL32.DLL advapi32.dll iphlpapi.dll ole32.dll SHELL32.dll shlwapi.dll urlmon.dll user32.dll wininet.dll wsock32.dll LoadLibraryA GetProcAddress ExitProcess RegCloseKey GetNetworkParams CoInitialize ShellExecuteA StrDupA URLDownloadToFileA wsprintfA InternetOpenA bind [/code] Seems like worm code to me ;) (just guessing, because of the SMTP commands and the DLL names) The eMail headers gave me following eMail address, which is registered here in the list: aamehl@xxxxxxxxxxxx I informed the user, that he or she will please check his system. Any others with simmilar eMails? regards: Bernd sorry for my bad english, hope you can read it :) Am Die, 2004-02-24 um 14.57 schrieb Joolz: > Since a week or so I keep getting lots of email from the list with 29K > zip attachments. AFAIK these are viruses (Mydoom?). > > They don't hurt my system, procmail handles them. But wouldn't it be > better to filter these out before they get sent to the mailinglist? > > Thanks! > > -- > 14:53-14:57 > Fedora Core release 1 (Yarrow) Linux 2.4.22-1.2174.nptl >