I got a similar message... it had something called "bagel" in it. On Wed, Mar 10, 2004 at 11:55:07PM +0100, Bernd Kauling wrote: > Hello List, > > today we (a friend and me) recieved an eMail with a zipped windows > executable. > > [eMail] > Dear user of e-mail server "Initdefault.de", > > Your e-mail account has been temporary disabled because of > unauthorized access. > > For details see the attached file. > > Attached file protected with the password for security reasons. > Password is 40403. > > Kind regards, > The Initdefault.de team > http://www.initdefault.de > [/eMail] > > > I unpacked it and used strings on it: > > [code] > 1.24 > UPX! > =`q@ > VWS? > SV23 > 0vm > vkU} > #64={c > Fc`1 > 6;[, > jd n > /Ih > 2`d0 > VukxV4 > gE#D > 3Y(| > @E > davh8 > m*+k > 3R1j > `?XRN` > \SWh > 1hl] > /6Ys > ?sra > !t{5P > !}8SnB > 9vqH > *g^} > .{|xJN > 8-updt > delt @ > jZ>{%4I > h*kv > o1@@ > D%fO > -Q/R# > e,%` > QR6a > }6ZB > x<CNG > 8+c$ > E/(,@ > f'fZf;U > PGX= > =220; > G+,6 > h_R+ > ^p>354s] > +}JOX > 4VD^ > r9Ko > Qz.O > {"H0} > <9v$<A > :Huj.# > @u~'# > _ZWR > ZB,4 > "Pjm > %EWzWh > {R6@ > R,fgUif > RAV4 > hCg@ > G=iVh > FmAi > lfpb > .>N^4 > XRP'[ > cS&[ > ({BPk > VVV/R_ > Kx `1~ > 3-c6 > ]}'jv > ,048 > <@DH > LPTX > \`dh > lptx > $Q222 > XT> > LQHQDQ > |@QpQlQhQ > dQ`Q\Q > ,Q0Q4Q8P > .200.39 > SOFTWARE\ > DateTime > ss .ex\irun4w > ATUPD > ER.EXE > LUALL > DRWEB > WICSS > GRAD > TODOWN > )VXQ= > ACFI > v>TPOSThVLTM > http://pos > rtog. > de/scr.php > .gfotxt > .net > maiklibis=?D > %s?p=%luH > Mi#poft\Windo/ > ws\CurrentV > sion\R > opzy;l > pifzip6 > uplda > )C: > To HELO > RSET > L FROM:< > CPT x > [%TND%] > l.com > avp. > ocal > xmldbxd > nchmf,ods > v!adIbNshueIxk > &gii > Off > e =03 Crack, W > mk.g!y)XP w > f /Keyg > d3-<5P > B S:e > alan< c > hiA x > SMi5sT > n Lo > h6 B > l[erUa > ia 8 New!Amp 5 P > $66M > D9 full > CD ,9 > ',' > H:P:s > ;Ez::$2 > F_m > G2MIME- > -TypYR > pMS1 > y="- > Q"do > <t@us- > cii"- > t_ap\Zk<lea > 64"D > <Ok1 > zcouqc > ta e7 > &W/'yu > )3B"Imwaen%l > Y0 zz > " He > sy'm!l > kuw9 > ~m* I > ORPn > l@VBv > c%Bu > f19g > KwVz > @j&B > nsuc > eds_ > _mm$ > ago9lf > Jp6la > ^3)I > b`y, > pxy- > $SAI > v%wb > 2co_ > .PTA:e > UT#a > l:KKj1 > RUPDo > Findrs > Comma > ngs3M > odu59NamGS > JckC > Klob > MapView > ;C#s > Y[ECO > ]T!m{ > Wait-Sv > Ex p;[ > re(l`rc` > S mpi > py s > prc`u > ciB&h > ptgDwAV > @gJS > OnHyhx > S<l; > }DupA > RC= TriO > UppO > mZ"p > k3nn > qU6Y > trtu > !+!s > v0li > \xyPEL > bdEd > =o`g > L@W. > KERNEL32.DLL > advapi32.dll > iphlpapi.dll > ole32.dll > SHELL32.dll > shlwapi.dll > urlmon.dll > user32.dll > wininet.dll > wsock32.dll > LoadLibraryA > GetProcAddress > ExitProcess > RegCloseKey > GetNetworkParams > CoInitialize > ShellExecuteA > StrDupA > URLDownloadToFileA > wsprintfA > InternetOpenA > bind > > [/code] > > Seems like worm code to me ;) (just guessing, because of the SMTP > commands and the DLL names) > > The eMail headers gave me following eMail address, which is registered > here in the list: > > aamehl@xxxxxxxxxxxx > > I informed the user, that he or she will please check his system. > > Any others with simmilar eMails? > > regards: Bernd > > > sorry for my bad english, hope you can read it :) > > > > Am Die, 2004-02-24 um 14.57 schrieb Joolz: > > Since a week or so I keep getting lots of email from the list with 29K > > zip attachments. AFAIK these are viruses (Mydoom?). > > > > They don't hurt my system, procmail handles them. But wouldn't it be > > better to filter these out before they get sent to the mailinglist? > > > > Thanks! > > > > -- > > 14:53-14:57 > > Fedora Core release 1 (Yarrow) Linux 2.4.22-1.2174.nptl > > > > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
Attachment:
pgpvYa3EfK8A6.pgp
Description: PGP signature
