Re: viruses from mailinglist

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I got a similar message... it had something called "bagel" in it.  

On Wed, Mar 10, 2004 at 11:55:07PM +0100, Bernd Kauling wrote:
> Hello List,
> 
> today we (a friend and me) recieved an eMail with a zipped windows
> executable.
> 
> [eMail]
> Dear user of e-mail server "Initdefault.de",
> 
> Your e-mail account  has been temporary disabled because  of
> unauthorized access.
> 
> For details  see  the  attached file.
> 
> Attached file protected with the password for  security reasons. 
> Password  is 40403.
> 
> Kind regards,
>     The Initdefault.de  team                              
> http://www.initdefault.de
> [/eMail]
> 
> 
> I unpacked it and used strings on it:
> 
> [code]
> 1.24
> UPX!
> =`q@
> VWS?
> SV23
> 	0vm
> vkU}
> #64={c
> Fc`1
> 6;[,
> jd n
> /Ih	
> 2`d0
> VukxV4
> gE#D
> 3Y(|
>  @E 
> davh8
> m*+k
> 3R1j
> `?XRN`
> \SWh
> 1hl]
> /6Ys
> ?sra
> !t{5P
> !}8SnB	
> 9vqH
> *g^}
> .{|xJN
> 8-updt
> delt	@
> jZ>{%4I
> h*kv
> o1@@
> D%fO
> -Q/R#
> e,%`
> QR6a
> }6ZB
> x<CNG
> 8+c$
> E/(,@
> f'fZf;U
> PGX=
> =220;
> G+,6
> h_R+
> ^p>354s]
> +}JOX
> 4VD^
> r9Ko
> Qz.O
> {"H0}
> <9v$<A
> :Huj.#
> @u~'#
> _ZWR
> ZB,4
> "Pjm
> %EWzWh
> {R6@
> R,fgUif
> RAV4
> hCg@
> G=iVh
> FmAi
> lfpb
> .>N^4
> XRP'[
> cS&[
> ({BPk
> VVV/R_
> Kx `1~
> 3-c6
> ]}'jv
> ,048
> <@DH
> LPTX
> \`dh
> lptx
> $Q222
>  XT>
> LQHQDQ
> |@QpQlQhQ
> dQ`Q\Q
> ,Q0Q4Q8P
> .200.39
> SOFTWARE\
> DateTime
> ss	.ex\irun4w
> ATUPD
> ER.EXE
> LUALL
> 	DRWEB
> WICSS
> GRAD
> TODOWN
> )VXQ=
> ACFI
> v>TPOSThVLTM
> http://pos
> rtog.
> de/scr.php
> .gfotxt
> .net
> maiklibis=?D
> %s?p=%luH
> Mi#poft\Windo/
> ws\CurrentV
> sion\R
> opzy;l
> pifzip6
> uplda
> )C: 
> To	HELO 
> RSET
> L FROM:<
> CPT x
> [%TND%]
> l.com
> avp.
> ocal
> xmldbxd
> nchmf,ods
> v!adIbNshueIxk
> &gii
>  Off
> e =03 Crack, W
> mk.g!y)XP w
> f /Keyg
> d3-<5P
> B  S:e
> alan< c
> hiA x
> SMi5sT
> n Lo
> h6 B
> l[erUa
> ia 8 New!Amp 5 P
> $66M
> D9 full
> CD	,9
> ',' 
> H:P:s
> ;Ez::$2
> F_m	
> G2MIME-
> -TypYR
> pMS1
> y="-
> Q"do
> <t@us-
> cii"-
> t_ap\Zk<lea
> 64"D
> <Ok1
>  zcouqc
> ta e7
> &W/'yu
> )3B"Imwaen%l 
> Y0	zz
> " He
> sy'm!l	
>  kuw9
> ~m*	I
> ORPn
> l@VBv
> c%Bu 
> f19g
> KwVz
> @j&B 
> nsuc
> eds_
> _mm$
> ago9lf
> Jp6la
> ^3)I
> b`y,
> pxy-
> $SAI
> v%wb
> 2co_
> .PTA:e
> UT#a 
> l:KKj1
> RUPDo
> Findrs
> Comma
> ngs3M
> odu59NamGS
> JckC
> Klob
> MapView
> ;C#s
> Y[ECO
> ]T!m{
> Wait-Sv
> Ex	p;[
> re(l`rc`
> S	mpi
> py	s
> prc`u
> ciB&h
> ptgDwAV
> @gJS
> OnHyhx
> S<l;
> }DupA
> RC=	TriO
> UppO
> mZ"p
> k3nn
> qU6Y
> trtu
> !+!s
> v0li
> \xyPEL
> bdEd
> =o`g
> L@W.
> KERNEL32.DLL
> advapi32.dll
> iphlpapi.dll
> ole32.dll
> SHELL32.dll
> shlwapi.dll
> urlmon.dll
> user32.dll
> wininet.dll
> wsock32.dll
> LoadLibraryA
> GetProcAddress
> ExitProcess
> RegCloseKey
> GetNetworkParams
> CoInitialize
> ShellExecuteA
> StrDupA
> URLDownloadToFileA
> wsprintfA
> InternetOpenA
> bind
> 
> [/code]
> 
> Seems like worm code to me ;) (just guessing, because of the SMTP
> commands and the DLL names)
> 
> The eMail headers gave me following eMail address, which is registered
> here in the list: 
> 
> aamehl@xxxxxxxxxxxx
> 
> I informed the user, that he or she will please check his system.
> 
> Any others with simmilar eMails?
> 
> regards: Bernd
> 
> 
> sorry for my bad english, hope you can read it :)
> 
> 
> 
> Am Die, 2004-02-24 um 14.57 schrieb Joolz:
> > Since a week or so I keep getting lots of email from the list with 29K
> > zip attachments. AFAIK these are viruses (Mydoom?).
> > 
> > They don't hurt my system, procmail handles them. But wouldn't it be
> > better to filter these out before they get sent to the mailinglist?
> > 
> > Thanks!
> > 
> > -- 
> > 14:53-14:57
> > Fedora Core release 1 (Yarrow) Linux 2.4.22-1.2174.nptl
> > 
> 
> 
> -- 
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list

Attachment: pgpvYa3EfK8A6.pgp
Description: PGP signature


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux