lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: khermansen at (Kristian Hermansen)
Subject: New virus

Damn, I wanna f*ck Mary too.  Let me see those pics!!!

Kristian Hermansen

PS - I can't believe that people don't die laughing when they read this
email.  Who the hell would ever write an email like that and hope to keep
their girlfriend?  Whose girlfriend lets them take sex pics, lol?  And why
would he send them after this unfortunate "no condom" incident?  So many
questions ;-)

-----Original Message-----
[] On Behalf Of Andrew Thomas
Sent: Tuesday, November 25, 2003 3:02 AM
To: 'Full Disclosure'
Subject: [Full-Disclosure] New virus


Just to confirm receipt of another email containing the following 
Hello my dear Mary, 

I have been thinking about you all night. I would like to apologize 
for the other night when we made beautiful love and did not use 
condoms. I know this was a mistake and I beg you to forgive me. 

I miss you more than anything, please call me Mary, I need you. Do 
you remember when we were having wild sex in my house? I remember 
it all like it was only yesterday. You said that the pictures 
would not come out good, but you were very wrong, they are great. 
I didn't want to show you the pictures at first, but now I think 
it's time for you to see them. Please look in the attachment and 
you will see what I mean. 

I love you with all my heart, James. 

With attached

A quick strings (after unpacking) on the file gives

The original archive is available @

I don't have the time to take this apart, but some interesting things
include a call to function "UrlDownloadToFileA", and a bunch of other
HTTP-style requests.

Also looks like it may do some kind of speed test and post results
as well remotely, including IP address of the infected host, as well
as pulling stuff out like RAS info, pop3 info, etc.

The host that appears to be called is "", with a
call made to the page "showinfo.php", which returns only
Error 0x7a2e: Invalid query, database search failed.
without anything appended.

There's quite a bit more in here.

Andrew G. Thomas
Hobbs & Associates Chartered Accountants (SA)
(o) +27-(0)21-683-0500
(f) +27-(0)21-683-0577
(m) +27-(0)83-318-4070 

Full-Disclosure - We believe in it.

Powered by blists - more mailing lists