lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: smenard at nbnet.nb.ca (Steve Menard)
Subject: Has anyone seen this in their e-mail

Aschwin Wesselius wrote:

>On Tue, 2004-03-09 at 01:44, Edward W. Ray wrote:
>  
>
>>This e-mail was addressed to my mail server.  It even looked 
>>authentic, but since my mail server never sends me zip attachments I 
>>thought it strange.
>>
>>Please be careful when opening.  The zip file contains an executable,
>>and I would assume it is some kind of virus or worm.
>>
>>Has anyone else seen something similar?
>>
>>Regards,
>>
>>Edward W. Ray
>>
>>    
>>
>
>Yeah, this looks like one I've got yesterday too. 
>
>The message was different and even the password was different (clever
>virus-writer huh). I bet it is a Bagle.Gen-zippwd (who gives them names
>actually?) sort of worm, but am not sure. 
>
>I dare not to open it at all. At least my ClamAssassin fetched it and
>sorted it into my Virus folder. This means that ClamAV (for Linux)
>recognizes it as a worm/virus
>
>Kind regards,
>
>Aschwin Wesselius
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>  
>
I Suspect that it is a targetted long term attack
against higher targets
see the one below from march 3,2004

I saw this one the other day
I thought the guys I hosted with wrote better english
Suspicious fromthe start

>From - Wed Mar  3 08:48:00 2004
X-UIDL: &jJ"!-ek"!S[/"!8>c!!
X-Mozilla-Status: 1001
X-Mozilla-Status2: 10000000
Return-Path: <lisa4@....rr.com>
Received: from techsp05 ([203.177.127.113])
	by changed.not (8.10.2/8.9.3) with SMTP id i23CZqe08455
	for <me@...omain>; Wed, 3 Mar 2004 08:35:53 -0400
Date: Wed, 03 Mar 2004 20:43:45 +0800
To: me@...omain
Subject: Notify about using the e-mail account.
From: noreply@...omain
Message-ID: <ocsgoycxukouajqfnbr@...omain>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="--------iwmrgskpbqjqjvtotrwg"
X-UIDL: &jJ"!-ek"!S[/"!8>c!!

----------iwmrgskpbqjqjvtotrwg
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Dear user  of e-mail server "mydomain.xx",

Our main  mailing server will  be temporary unavaible for next two days, 
to continue receiving mail in these days you have  to configure our free
auto-forwarding  service.

For details see the attached file.

Attached file protected with the  password for security reasons.  Password is 55366.

Cheers,
     The mydomain team                                http://www.mydomain

----------iwmrgskpbqjqjvtotrwg
Content-Type: application/octet-stream; name="TextDocument.zap"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="TextDocument.zap"

some zipped bad file here=

----------iwmrgskpbqjqjvtotrwg--




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040309/3a03566a/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ