Since a week or so I keep getting lots of email from the list with 29K zip attachments. AFAIK these are viruses (Mydoom?).
They don't hurt my system, procmail handles them. But wouldn't it be better to filter these out before they get sent to the mailinglist?
Thanks!
On Tue, Feb 24, 2004 at 02:57:22PM +0100, Joolz wrote:
They don't hurt my system, procmail handles them. But wouldn't it be better to filter these out before they get sent to the mailinglist?
I agree that Microsoft products should not be allowed on the internet, due to their questionable reputation.
Hello List,
today we (a friend and me) recieved an eMail with a zipped windows executable.
[eMail] Dear user of e-mail server "Initdefault.de",
Your e-mail account has been temporary disabled because of unauthorized access.
For details see the attached file.
Attached file protected with the password for security reasons. Password is 40403.
Kind regards, The Initdefault.de team http://www.initdefault.de [/eMail]
I unpacked it and used strings on it:
[code] 1.24 UPX! =`q@ VWS? SV23 0vm vkU} #64={c Fc`1 6;[, jd n /Ih 2`d0 VukxV4 gE#D 3Y(| @E davh8 m*+k 3R1j `?XRN` \SWh 1hl] /6Ys ?sra !t{5P !}8SnB 9vqH *g^} .{|xJN 8-updt delt @ jZ>{%4I h*kv o1@@ D%fO -Q/R# e,%` QR6a }6ZB x<CNG 8+c$ E/(,@ f'fZf;U PGX= =220; G+,6 h_R+ ^p>354s] +}JOX 4VD^ r9Ko Qz.O {"H0} <9v$<A :Huj.# @u~'# _ZWR ZB,4 "Pjm %EWzWh {R6@ R,fgUif RAV4 hCg@ G=iVh FmAi lfpb .>N^4 XRP'[ cS&[ ({BPk VVV/R_ Kx `1~ 3-c6 ]}'jv ,048 <@DH LPTX `dh lptx $Q222 XT> LQHQDQ |@QpQlQhQ dQ`Q\Q ,Q0Q4Q8P .200.39 SOFTWARE\ DateTime ss .ex\irun4w ATUPD ER.EXE LUALL DRWEB WICSS GRAD TODOWN )VXQ= ACFI v>TPOSThVLTM http://pos rtog. de/scr.php .gfotxt .net maiklibis=?D %s?p=%luH Mi#poft\Windo/ ws\CurrentV sion\R opzy;l pifzip6 uplda )C: To HELO RSET L FROM:< CPT x [%TND%] l.com avp. ocal xmldbxd nchmf,ods v!adIbNshueIxk &gii Off e =03 Crack, W mk.g!y)XP w f /Keyg d3-<5P B S:e alan< c hiA x SMi5sT n Lo h6 B l[erUa ia 8 New!Amp 5 P $66M D9 full CD ,9 ',' H:P:s ;Ez::$2 F_m G2MIME- -TypYR pMS1 y="- Q"do <t@us- cii"- t_ap\Zk<lea 64"D <Ok1 zcouqc ta e7 &W/'yu )3B"Imwaen%l Y0 zz " He sy'm!l kuw9 ~m* I ORPn l@VBv c%Bu f19g KwVz @j&B nsuc eds_ _mm$ ago9lf Jp6la ^3)I b`y, pxy- $SAI v%wb 2co_ .PTA:e UT#a l:KKj1 RUPDo Findrs Comma ngs3M odu59NamGS JckC Klob MapView ;C#s Y[ECO ]T!m{ Wait-Sv Ex p;[ re(l`rc` S mpi py s prc`u ciB&h ptgDwAV @gJS OnHyhx S<l; }DupA RC= TriO UppO mZ"p k3nn qU6Y trtu !+!s v0li \xyPEL bdEd =o`g L@W. KERNEL32.DLL advapi32.dll iphlpapi.dll ole32.dll SHELL32.dll shlwapi.dll urlmon.dll user32.dll wininet.dll wsock32.dll LoadLibraryA GetProcAddress ExitProcess RegCloseKey GetNetworkParams CoInitialize ShellExecuteA StrDupA URLDownloadToFileA wsprintfA InternetOpenA bind
[/code]
Seems like worm code to me ;) (just guessing, because of the SMTP commands and the DLL names)
The eMail headers gave me following eMail address, which is registered here in the list:
aamehl@bezeqint.net
I informed the user, that he or she will please check his system.
Any others with simmilar eMails?
regards: Bernd
sorry for my bad english, hope you can read it :)
Am Die, 2004-02-24 um 14.57 schrieb Joolz:
Since a week or so I keep getting lots of email from the list with 29K zip attachments. AFAIK these are viruses (Mydoom?).
They don't hurt my system, procmail handles them. But wouldn't it be better to filter these out before they get sent to the mailinglist?
Thanks!
-- 14:53-14:57 Fedora Core release 1 (Yarrow) Linux 2.4.22-1.2174.nptl
On Wed, 2004-03-10 at 22:55, Bernd Kauling wrote:
Hello List,
They don't hurt my system, procmail handles them. But wouldn't it be better to filter these out before they get sent to the mailinglist?
They are not coming from the list as such. The infected windows machine has the list address in it and is using it to spoof the emails as if they were coning from th list. It is most likely that the listed sender is also spoofed. Although if the listed sender is using a windows machine it would not hurt for them the run a virus check to make sure. Regards Roger
I got a similar message... it had something called "bagel" in it.
On Wed, Mar 10, 2004 at 11:55:07PM +0100, Bernd Kauling wrote:
Hello List,
today we (a friend and me) recieved an eMail with a zipped windows executable.
[eMail] Dear user of e-mail server "Initdefault.de",
Your e-mail account has been temporary disabled because of unauthorized access.
For details see the attached file.
Attached file protected with the password for security reasons. Password is 40403.
Kind regards, The Initdefault.de team http://www.initdefault.de [/eMail]
I unpacked it and used strings on it:
[code] 1.24 UPX! =`q@ VWS? SV23 0vm vkU} #64={c Fc`1 6;[, jd n /Ih 2`d0 VukxV4 gE#D 3Y(| @E davh8 m*+k 3R1j `?XRN` \SWh 1hl] /6Ys ?sra !t{5P !}8SnB 9vqH *g^} .{|xJN 8-updt delt @ jZ>{%4I h*kv o1@@ D%fO -Q/R# e,%` QR6a }6ZB x<CNG 8+c$ E/(,@ f'fZf;U PGX= =220; G+,6 h_R+ ^p>354s] +}JOX 4VD^ r9Ko Qz.O {"H0} <9v$<A :Huj.# @u~'# _ZWR ZB,4 "Pjm %EWzWh {R6@ R,fgUif RAV4 hCg@ G=iVh FmAi lfpb .>N^4 XRP'[ cS&[ ({BPk VVV/R_ Kx `1~ 3-c6 ]}'jv ,048 <@DH LPTX `dh lptx $Q222 XT> LQHQDQ |@QpQlQhQ dQ`Q\Q ,Q0Q4Q8P .200.39 SOFTWARE\ DateTime ss .ex\irun4w ATUPD ER.EXE LUALL DRWEB WICSS GRAD TODOWN )VXQ= ACFI v>TPOSThVLTM http://pos rtog. de/scr.php .gfotxt .net maiklibis=?D %s?p=%luH Mi#poft\Windo/ ws\CurrentV sion\R opzy;l pifzip6 uplda )C: To HELO RSET L FROM:< CPT x [%TND%] l.com avp. ocal xmldbxd nchmf,ods v!adIbNshueIxk &gii Off e =03 Crack, W mk.g!y)XP w f /Keyg d3-<5P B S:e alan< c hiA x SMi5sT n Lo h6 B l[erUa ia 8 New!Amp 5 P $66M D9 full CD ,9 ',' H:P:s ;Ez::$2 F_m G2MIME- -TypYR pMS1 y="- Q"do <t@us- cii"- t_ap\Zk<lea 64"D <Ok1 zcouqc ta e7 &W/'yu )3B"Imwaen%l Y0 zz " He sy'm!l kuw9 ~m* I ORPn l@VBv c%Bu f19g KwVz @j&B nsuc eds_ _mm$ ago9lf Jp6la ^3)I b`y, pxy- $SAI v%wb 2co_ .PTA:e UT#a l:KKj1 RUPDo Findrs Comma ngs3M odu59NamGS JckC Klob MapView ;C#s Y[ECO ]T!m{ Wait-Sv Ex p;[ re(l`rc` S mpi py s prc`u ciB&h ptgDwAV @gJS OnHyhx S<l; }DupA RC= TriO UppO mZ"p k3nn qU6Y trtu !+!s v0li \xyPEL bdEd =o`g L@W. KERNEL32.DLL advapi32.dll iphlpapi.dll ole32.dll SHELL32.dll shlwapi.dll urlmon.dll user32.dll wininet.dll wsock32.dll LoadLibraryA GetProcAddress ExitProcess RegCloseKey GetNetworkParams CoInitialize ShellExecuteA StrDupA URLDownloadToFileA wsprintfA InternetOpenA bind
[/code]
Seems like worm code to me ;) (just guessing, because of the SMTP commands and the DLL names)
The eMail headers gave me following eMail address, which is registered here in the list:
aamehl@bezeqint.net
I informed the user, that he or she will please check his system.
Any others with simmilar eMails?
regards: Bernd
sorry for my bad english, hope you can read it :)
Am Die, 2004-02-24 um 14.57 schrieb Joolz:
Since a week or so I keep getting lots of email from the list with 29K zip attachments. AFAIK these are viruses (Mydoom?).
They don't hurt my system, procmail handles them. But wouldn't it be better to filter these out before they get sent to the mailinglist?
Thanks!
-- 14:53-14:57 Fedora Core release 1 (Yarrow) Linux 2.4.22-1.2174.nptl
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
On Thu, 2004-03-11 at 02:25, Dale A. Raby wrote:
I got a similar message... it had something called "bagel" in it.
On Wed, Mar 10, 2004 at 11:55:07PM +0100, Bernd Kauling wrote:
snipped
Thanks!
-- 14:53-14:57 Fedora Core release 1 (Yarrow) Linux 2.4.22-1.2174.nptl
Got this warning from my administrator today!
VIRUS ALERT
Important notice to all CO.ZA clients and business partners. UniForum SA has recently learned that a new email transmitted virus is currently in circulation. The email virus falsely purports to originate from a trusted email address such as those used by the CO.ZA Registry. The email is disseminated in the form of a password protected attachment (and therefore potentially cannot be scanned by the anti-virus software). The virus however supplies you with the password and requires you to input the password when you click on the icon to run the program. Any password protected attachment purporting to come from our systems is in all likelihood false. You are urged not to open any such email until you can confirm its authenticity with the sender.
Chad
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
Bernd Kauling wrote:
Hello List,
today we (a friend and me) recieved an eMail with a zipped windows executable.
[eMail] Dear user of e-mail server "Initdefault.de",
Your e-mail account has been temporary disabled because of unauthorized access.
For details see the attached file.
Attached file protected with the password for security reasons. Password is 40403.
Kind regards, The Initdefault.de team http://www.initdefault.de [/eMail]
I unpacked it and used strings on it:
[code] 1.24 UPX! =`q@ VWS? SV23 0vm vkU} #64={c Fc`1 6;[, jd n /Ih 2`d0 VukxV4 gE#D 3Y(| @E davh8 m*+k 3R1j `?XRN` \SWh 1hl] /6Ys ?sra !t{5P !}8SnB 9vqH *g^} .{|xJN 8-updt delt @ jZ>{%4I h*kv o1@@ D%fO -Q/R# e,%` QR6a }6ZB x<CNG 8+c$ E/(,@ f'fZf;U PGX= =220; G+,6 h_R+ ^p>354s] +}JOX 4VD^ r9Ko Qz.O {"H0} <9v$<A :Huj.# @u~'# _ZWR ZB,4 "Pjm %EWzWh {R6@ R,fgUif RAV4 hCg@ G=iVh FmAi lfpb .>N^4 XRP'[ cS&[ ({BPk VVV/R_ Kx `1~ 3-c6 ]}'jv ,048 <@DH LPTX `dh lptx $Q222 XT> LQHQDQ |@QpQlQhQ dQ`Q\Q ,Q0Q4Q8P .200.39 SOFTWARE\ DateTime ss .ex\irun4w ATUPD ER.EXE LUALL DRWEB WICSS GRAD TODOWN )VXQ= ACFI v>TPOSThVLTM http://pos rtog. de/scr.php .gfotxt .net maiklibis=?D %s?p=%luH Mi#poft\Windo/ ws\CurrentV sion\R opzy;l pifzip6 uplda )C: To HELO RSET L FROM:< CPT x [%TND%] l.com avp. ocal xmldbxd nchmf,ods v!adIbNshueIxk &gii Off e =03 Crack, W mk.g!y)XP w f /Keyg d3-<5P B S:e alan< c hiA x SMi5sT n Lo h6 B l[erUa ia 8 New!Amp 5 P $66M D9 full CD ,9 ',' H:P:s ;Ez::$2 F_m G2MIME- -TypYR pMS1 y="- Q"do <t@us- cii"- t_ap\Zk<lea 64"D <Ok1 zcouqc ta e7 &W/'yu )3B"Imwaen%l Y0 zz " He sy'm!l kuw9 ~m* I ORPn l@VBv c%Bu f19g KwVz @j&B nsuc eds_ _mm$ ago9lf Jp6la ^3)I b`y, pxy- $SAI v%wb 2co_ .PTA:e UT#a l:KKj1 RUPDo Findrs Comma ngs3M odu59NamGS JckC Klob MapView ;C#s Y[ECO ]T!m{ Wait-Sv Ex p;[ re(l`rc` S mpi py s prc`u ciB&h ptgDwAV @gJS OnHyhx S<l; }DupA RC= TriO UppO mZ"p k3nn qU6Y trtu !+!s v0li \xyPEL bdEd =o`g L@W. KERNEL32.DLL advapi32.dll iphlpapi.dll ole32.dll SHELL32.dll shlwapi.dll urlmon.dll user32.dll wininet.dll wsock32.dll LoadLibraryA GetProcAddress ExitProcess RegCloseKey GetNetworkParams CoInitialize ShellExecuteA StrDupA URLDownloadToFileA wsprintfA InternetOpenA bind
[/code]
Seems like worm code to me ;) (just guessing, because of the SMTP commands and the DLL names)
The eMail headers gave me following eMail address, which is registered here in the list:
aamehl@bezeqint.net
I informed the user, that he or she will please check his system.
Any others with simmilar eMails?
regards: Bernd
sorry for my bad english, hope you can read it :)
Am Die, 2004-02-24 um 14.57 schrieb Joolz:
Since a week or so I keep getting lots of email from the list with 29K zip attachments. AFAIK these are viruses (Mydoom?).
They don't hurt my system, procmail handles them. But wouldn't it be better to filter these out before they get sent to the mailinglist?
Thanks!
-- 14:53-14:57 Fedora Core release 1 (Yarrow) Linux 2.4.22-1.2174.nptl
Thanks for posting what was in the zip. I never opened it to see.
I was passing on the blinux-list to a couple of friends that are blind. I had to also inform them that the zips contained a virus and not to open the attachments.
Having the virus containing posts within the list archive is probably not a good thing to have. If people that are running windows happen onto the site and open the attachments, it would not help with attempting to increase Linux usage numbers. That is, unless you tell them to download the installation iso files, instruct them on how to burn the CDs, before reading the archives.
I think the attachments ought to be at least dropped from the list archives.
Jim
Around 02:11am on Thursday, March 11, 2004 (UK time), Jim Cornette scrawled:
<rant>
Thanks for posting what was in the zip. I never opened it to see.
No thanks from me - I thought it was a waste of bandwith. And why two people thought it was necessary to requote the whole thing I can't begin to imagine.
Having the virus containing posts within the list archive is probably not a good thing to have. If people that are running windows happen onto the site and open the attachments, it would not help with attempting to increase Linux usage numbers. That is, unless you tell them to download the installation iso files, instruct them on how to burn the CDs, before reading the archives.
Was it established that it came from the list. Virus infected emails usually spoof the from address. Is it actually in the archives?
</rant>
Steve
Steve Searle wrote:
Around 02:11am on Thursday, March 11, 2004 (UK time), Jim Cornette scrawled:
<rant>
Thanks for posting what was in the zip. I never opened it to see.
No thanks from me - I thought it was a waste of bandwith. And why two people thought it was necessary to requote the whole thing I can't begin to imagine.
High speed connections don't really care if the file is a bit large. I should have trimmed the message though. Sorry!
Having the virus containing posts within the list archive is probably not a good thing to have. If people that are running windows happen onto the site and open the attachments, it would not help with attempting to increase Linux usage numbers. That is, unless you tell them to download the installation iso files, instruct them on how to burn the CDs, before reading the archives.
Was it established that it came from the list. Virus infected emails usually spoof the from address. Is it actually in the archives?
It was in the blinux-list archives and I have received filtered mail about a virus within the mail. The main point is that the bogus messages that contain the virus should be removed from the list archives.
After receiving the virus alert from my ISP. I usually see discussions based on the heading of the winvirus mail spoofs.
</rant>
No rants, just concern of leading a perspective Linux convert, that s still running windows, into a "minefield" for the list archives.
I was interested in the contents of the virus pack for windows. (zip w/ password to evade mail scanners.)
Jim
Steve
-
Bernd Kauling -
Chadley Wilson -
Dale A. Raby -
Hal Burgiss -
Jim Cornette -
Joolz -
roger2 -
Steve Searle