lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200311141141406.SM00134@there>
From: lhand at co.la.ca.us (Larry Hand)
Subject: Fwd: YOUR PAYPAL.COM ACCOUNT EXPIRES

On Thursday 13 November 2003 04:43 pm, Larry Hand wrote:
> Anyone else seeing this? It comes with an attachment Paypal.asp.scr. 
> Anyone know what it is? It sure looks suspicious.

And a bunch of people answered! Thanks to you all.

Thanks for the links. I expect it's that MiMail trojan. It's rare that a 
virus gets through the filters here. Apparently it's a new variant which 
slipped in before the newest AV signature updates were installed. Since NAI 
didn't find out about it until today, I guess that's reasonable :-)

As for the yahoo involvement, my headers (I should have included the full 
headers the first time, oops, my bad.) were:

>From donotreply@...pal.com Fri Nov 14 00:29:00 2003
Received: from 62.42.15.89 [62.42.15.89] by co.la.ca.us
  (SMTPD32-6.06) id A23C519B00DE; Thu, 13 Nov 2003 16:30:52 -0800
Date: Fri, 14 Nov 2003 03:29:00 -0500
From: PayPal.com <donotreply@...pal.com>
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
Reply-To: donotreply@...pal.com
Organization: None
X-Priority: 1 (High)
To: lhand@...la.ca.us
Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----------716A2B1C01688342"
Message-Id: <200311131630671.SM00134@...42.15.89>
X-RCPT-TO: <lhand@...la.ca.us>
X-UIDL: 294245102
Status: R 
X-Status: N

The author did a pretty good job of hiding his tracks. Only the IP address 
(VA1-1D-u-0856.mc.onolab.com. apparently from spain) and the fact that it was 
sent by Outlook Express gives a hint that it didn't really come from paypal.

A few people asked for the file. I've attached it as suggested: zipped and 
encrypted with "infected" as the password.

Thanks again for all the help.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: paypal.zip
Type: application/x-zip
Size: 11856 bytes
Desc: paypal attachment
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031114/7048f9ca/paypal.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ