viruses from mailinglist

[Jim Cornette]

Bernd Kauling wrote:

>Hello List,
>
>today we (a friend and me) recieved an eMail with a zipped windows
>executable.
>
>[eMail]
>Dear user of e-mail server "Initdefault.de",
>
>Your e-mail account  has been temporary disabled because  of
>unauthorized access.
>
>For details  see  the  attached file.
>
>Attached file protected with the password for  security reasons. 
>Password  is 40403.
>
>Kind regards,
>    The Initdefault.de  team                              
>http://www.initdefault.de
>[/eMail]
>
>
>I unpacked it and used strings on it:
>
>[code]
>1.24
>UPX!
>=`q@
>VWS?
>SV23
>	0vm
>vkU}
>#64={c
>Fc`1
>6;[,
>jd n
>/Ih	
>2`d0
>VukxV4
>gE#D
>3Y(|
> @E 
>davh8
>m*+k
>3R1j
>`?XRN`
>\SWh
>1hl]
>/6Ys
>?sra
>!t{5P
>!}8SnB	
>9vqH
>*g^}
>.{|xJN
>8-updt
>delt	@
>jZ>{%4I
>h*kv
>o1@@
>D%fO
>-Q/R#
>e,%`
>QR6a
>}6ZB
>x<CNG
>8+c$
>E/(,@
>f'fZf;U
>PGX=
>=220;
>G+,6
>h_R+
>^p>354s]
>+}JOX
>4VD^
>r9Ko
>Qz.O
>{"H0}
><9v$<A
>:Huj.#
>@u~'#
>_ZWR
>ZB,4
>"Pjm
>%EWzWh
>{R6@
>R,fgUif
>RAV4
>hCg@
>G=iVh
>FmAi
>lfpb
>.>N^4
>XRP'[
>cS&[
>({BPk
>VVV/R_
>Kx `1~
>3-c6
>]}'jv
>,048
><@DH
>LPTX
>\`dh
>lptx
>$Q222
> XT>
>LQHQDQ
>|@QpQlQhQ
>dQ`Q\Q
>,Q0Q4Q8P
>.200.39
>SOFTWARE\
>DateTime
>ss	.ex\irun4w
>ATUPD
>ER.EXE
>LUALL
>	DRWEB
>WICSS
>GRAD
>TODOWN
>)VXQ=
>ACFI
>v>TPOSThVLTM
>http://pos
>rtog.
>de/scr.php
>.gfotxt
>.net
>maiklibis=?D
>%s?p=%luH
>Mi#poft\Windo/
>ws\CurrentV
>sion\R
>opzy;l
>pifzip6
>uplda
>)C: 
>To	HELO 
>RSET
>L FROM:<
>CPT x
>[%TND%]
>l.com
>avp.
>ocal
>xmldbxd
>nchmf,ods
>v!adIbNshueIxk
>&gii
> Off
>e =03 Crack, W
>mk.g!y)XP w
>f /Keyg
>d3-<5P
>B  S:e
>alan< c
>hiA x
>SMi5sT
>n Lo
>h6 B
>l[erUa
>ia 8 New!Amp 5 P
>$66M
>D9 full
>CD	,9
>',' 
>H:P:s
>;Ez::$2
>F_m	
>G2MIME-
>-TypYR
>pMS1
>y="-
>Q"do
><t at us-
>cii"-
>t_ap\Zk<lea
>64"D
><Ok1
> zcouqc
>ta e7
>&W/'yu
>)3B"Imwaen%l 
>Y0	zz
>" He
>sy'm!l	
> kuw9
>~m*	I
>ORPn
>l at VBv
>c%Bu 
>f19g
>KwVz
>@j&B 
>nsuc
>eds_
>_mm$
>ago9lf
>Jp6la
>^3)I
>b`y,
>pxy-
>$SAI
>v%wb
>2co_
>.PTA:e
>UT#a 
>l:KKj1
>RUPDo
>Findrs
>Comma
>ngs3M
>odu59NamGS
>JckC
>Klob
>MapView
>;C#s
>Y[ECO
>]T!m{
>Wait-Sv
>Ex	p;[
>re(l`rc`
>S	mpi
>py	s
>prc`u
>ciB&h
>ptgDwAV
>@gJS
>OnHyhx
>S<l;
>}DupA
>RC=	TriO
>UppO
>mZ"p
>k3nn
>qU6Y
>trtu
>!+!s
>v0li
>\xyPEL
>bdEd
>=o`g
>L at W.
>KERNEL32.DLL
>advapi32.dll
>iphlpapi.dll
>ole32.dll
>SHELL32.dll
>shlwapi.dll
>urlmon.dll
>user32.dll
>wininet.dll
>wsock32.dll
>LoadLibraryA
>GetProcAddress
>ExitProcess
>RegCloseKey
>GetNetworkParams
>CoInitialize
>ShellExecuteA
>StrDupA
>URLDownloadToFileA
>wsprintfA
>InternetOpenA
>bind
>
>[/code]
>
>Seems like worm code to me ;) (just guessing, because of the SMTP
>commands and the DLL names)
>
>The eMail headers gave me following eMail address, which is registered
>here in the list: 
>
>aamehl at bezeqint.net
>
>I informed the user, that he or she will please check his system.
>
>Any others with simmilar eMails?
>
>regards: Bernd
>
>
>sorry for my bad english, hope you can read it :)
>
>
>
>Am Die, 2004-02-24 um 14.57 schrieb Joolz:
>  
>
>>Since a week or so I keep getting lots of email from the list with 29K
>>zip attachments. AFAIK these are viruses (Mydoom?).
>>
>>They don't hurt my system, procmail handles them. But wouldn't it be
>>better to filter these out before they get sent to the mailinglist?
>>
>>Thanks!
>>
>>-- 
>>14:53-14:57
>>Fedora Core release 1 (Yarrow) Linux 2.4.22-1.2174.nptl
>>
>>    
>>
>
>
>  
>

Thanks for posting what was in the zip. I never opened it to see.

I was passing on the blinux-list to a couple of friends that are blind. 
I had to also inform them that the zips contained a virus and not to 
open the attachments.

Having the virus containing posts within the list archive is probably 
not a good thing to have. If people that are running windows happen onto 
the site and open the attachments, it would not help with attempting to 
increase Linux usage numbers. That is, unless you tell them to download 
the installation iso files, instruct them on how to burn the CDs, before 
reading the archives.

I think the attachments ought to be at least dropped from the list archives.

Jim