viruses from mailinglist
Jim Cornette
jim-cornette at insight.rr.com
Thu Mar 11 02:11:55 UTC 2004
Bernd Kauling wrote:
>Hello List,
>
>today we (a friend and me) recieved an eMail with a zipped windows
>executable.
>
>[eMail]
>Dear user of e-mail server "Initdefault.de",
>
>Your e-mail account has been temporary disabled because of
>unauthorized access.
>
>For details see the attached file.
>
>Attached file protected with the password for security reasons.
>Password is 40403.
>
>Kind regards,
> The Initdefault.de team
>http://www.initdefault.de
>[/eMail]
>
>
>I unpacked it and used strings on it:
>
>[code]
>1.24
>UPX!
>=`q@
>VWS?
>SV23
> 0vm
>vkU}
>#64={c
>Fc`1
>6;[,
>jd n
>/Ih
>2`d0
>VukxV4
>gE#D
>3Y(|
> @E
>davh8
>m*+k
>3R1j
>`?XRN`
>\SWh
>1hl]
>/6Ys
>?sra
>!t{5P
>!}8SnB
>9vqH
>*g^}
>.{|xJN
>8-updt
>delt @
>jZ>{%4I
>h*kv
>o1@@
>D%fO
>-Q/R#
>e,%`
>QR6a
>}6ZB
>x<CNG
>8+c$
>E/(,@
>f'fZf;U
>PGX=
>=220;
>G+,6
>h_R+
>^p>354s]
>+}JOX
>4VD^
>r9Ko
>Qz.O
>{"H0}
><9v$<A
>:Huj.#
>@u~'#
>_ZWR
>ZB,4
>"Pjm
>%EWzWh
>{R6@
>R,fgUif
>RAV4
>hCg@
>G=iVh
>FmAi
>lfpb
>.>N^4
>XRP'[
>cS&[
>({BPk
>VVV/R_
>Kx `1~
>3-c6
>]}'jv
>,048
><@DH
>LPTX
>\`dh
>lptx
>$Q222
> XT>
>LQHQDQ
>|@QpQlQhQ
>dQ`Q\Q
>,Q0Q4Q8P
>.200.39
>SOFTWARE\
>DateTime
>ss .ex\irun4w
>ATUPD
>ER.EXE
>LUALL
> DRWEB
>WICSS
>GRAD
>TODOWN
>)VXQ=
>ACFI
>v>TPOSThVLTM
>http://pos
>rtog.
>de/scr.php
>.gfotxt
>.net
>maiklibis=?D
>%s?p=%luH
>Mi#poft\Windo/
>ws\CurrentV
>sion\R
>opzy;l
>pifzip6
>uplda
>)C:
>To HELO
>RSET
>L FROM:<
>CPT x
>[%TND%]
>l.com
>avp.
>ocal
>xmldbxd
>nchmf,ods
>v!adIbNshueIxk
>&gii
> Off
>e =03 Crack, W
>mk.g!y)XP w
>f /Keyg
>d3-<5P
>B S:e
>alan< c
>hiA x
>SMi5sT
>n Lo
>h6 B
>l[erUa
>ia 8 New!Amp 5 P
>$66M
>D9 full
>CD ,9
>','
>H:P:s
>;Ez::$2
>F_m
>G2MIME-
>-TypYR
>pMS1
>y="-
>Q"do
><t at us-
>cii"-
>t_ap\Zk<lea
>64"D
><Ok1
> zcouqc
>ta e7
>&W/'yu
>)3B"Imwaen%l
>Y0 zz
>" He
>sy'm!l
> kuw9
>~m* I
>ORPn
>l at VBv
>c%Bu
>f19g
>KwVz
>@j&B
>nsuc
>eds_
>_mm$
>ago9lf
>Jp6la
>^3)I
>b`y,
>pxy-
>$SAI
>v%wb
>2co_
>.PTA:e
>UT#a
>l:KKj1
>RUPDo
>Findrs
>Comma
>ngs3M
>odu59NamGS
>JckC
>Klob
>MapView
>;C#s
>Y[ECO
>]T!m{
>Wait-Sv
>Ex p;[
>re(l`rc`
>S mpi
>py s
>prc`u
>ciB&h
>ptgDwAV
>@gJS
>OnHyhx
>S<l;
>}DupA
>RC= TriO
>UppO
>mZ"p
>k3nn
>qU6Y
>trtu
>!+!s
>v0li
>\xyPEL
>bdEd
>=o`g
>L at W.
>KERNEL32.DLL
>advapi32.dll
>iphlpapi.dll
>ole32.dll
>SHELL32.dll
>shlwapi.dll
>urlmon.dll
>user32.dll
>wininet.dll
>wsock32.dll
>LoadLibraryA
>GetProcAddress
>ExitProcess
>RegCloseKey
>GetNetworkParams
>CoInitialize
>ShellExecuteA
>StrDupA
>URLDownloadToFileA
>wsprintfA
>InternetOpenA
>bind
>
>[/code]
>
>Seems like worm code to me ;) (just guessing, because of the SMTP
>commands and the DLL names)
>
>The eMail headers gave me following eMail address, which is registered
>here in the list:
>
>aamehl at bezeqint.net
>
>I informed the user, that he or she will please check his system.
>
>Any others with simmilar eMails?
>
>regards: Bernd
>
>
>sorry for my bad english, hope you can read it :)
>
>
>
>Am Die, 2004-02-24 um 14.57 schrieb Joolz:
>
>
>>Since a week or so I keep getting lots of email from the list with 29K
>>zip attachments. AFAIK these are viruses (Mydoom?).
>>
>>They don't hurt my system, procmail handles them. But wouldn't it be
>>better to filter these out before they get sent to the mailinglist?
>>
>>Thanks!
>>
>>--
>>14:53-14:57
>>Fedora Core release 1 (Yarrow) Linux 2.4.22-1.2174.nptl
>>
>>
>>
>
>
>
>
Thanks for posting what was in the zip. I never opened it to see.
I was passing on the blinux-list to a couple of friends that are blind.
I had to also inform them that the zips contained a virus and not to
open the attachments.
Having the virus containing posts within the list archive is probably
not a good thing to have. If people that are running windows happen onto
the site and open the attachments, it would not help with attempting to
increase Linux usage numbers. That is, unless you tell them to download
the installation iso files, instruct them on how to burn the CDs, before
reading the archives.
I think the attachments ought to be at least dropped from the list archives.
Jim
More information about the fedora-list
mailing list