| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: thalm at netcabo.pt (Tiago Halm)
Subject: FW: Fake Email (Update)
Got access to the attachment
(was blocked by Outlook XP, but after adding a String REG key -
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security\Level1Remo
ve - with value - exe - I got access to the attachment)
Size: 74142 bytes
Executed strings (ANSI and UNICODE) on it, but could not find anything
relevant.
Also ran DUMPBIN /ALL and saw only the following imports:
Section contains the following imports:
KERNEL32.DLL
44327C Import Address Table
0 Import Name Table
0 time date stamp
0 Index of first forwarder reference
0 LoadLibraryA
0 GetProcAddress
0 ExitProcess
MSVBVM60.DLL
44328C Import Address Table
0 Import Name Table
0 time date stamp
0 Index of first forwarder reference
Ordinal 581
Does anyone recognize something with this?
I someone needs the attachment, I'll send it zipped by email.
Regards,
Tiago Halm
-----Original Message-----
From: Tiago Halm [mailto:thalm@...cabo.pt]
Sent: sexta-feira, 27 de Fevereiro de 2004 20:58
To: full-disclosure@...ts.netsys.com
Subject: Fake Email
Hi,
Just received an email from "me@...rosoft.com.ve" with an attachment
"remove-lsass_tool.exe"
Headers:
----------------------------------------------------------------------
Received: from smtp.netcabo.pt ([192.168.16.2]) by VS2.hdi.tvcabo with
Microsoft SMTPSVC(5.0.2195.6713);
Thu, 26 Feb 2004 15:37:49 +0000
Received: from OEMCOMPUTER.ve ([80.104.215.25]) by smtp.netcabo.pt with
Microsoft SMTPSVC(5.0.2195.6713);
Thu, 26 Feb 2004 10:46:22 +0000
From: me@...rosoft.com.ve
To: thalm@...cabo.pt
Subject: a trojan is on your computer!
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MSMail-Priority: Normal
Message-ID: <93210073709487.53933xsmail@...rosoft.com.ve>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="d7a124be6069b8e"
Return-Path: me@...rosoft.com.ve
X-OriginalArrivalTime: 26 Feb 2004 10:46:23.0617 (UTC)
FILETIME=[C6EA4F10:01C3FC55]
Date: 26 Feb 2004 10:46:23 +0000
----------------------------------------------------------------------
Content:
----------------------------------------------------------------------
hello, I am from Denmark and you'll don't believe me,
but a trojan horse in on your pc.
I've scanned the network-ports on the internet. (I know, that's illegal)
And I have found your pc. Your pc is open on the internet for everybody!
Because the lsass.exe trojan is running on your system.
Check this, open the task manager and try to stop that!
You'll see, you can't stop this trojan.
When you use win98/me you can't see the trojan!!
On my system was this trojan, too!
And I've found a tool to kill that bad thing.
I hope that I've helped you!
greets
----------------------------------------------------------------------
Anyone else got this too? If so, has somebody made any analisys on the
attachment yet?
The attachment was blocked, so I don't have access to it :(
Regards,
Tiago Halm
Powered by blists - more mailing lists