1  |   Order by index

Dec 1, 2004, 5:08pm

Well, right when I get home, open my mozilla thuderbird, and find a
worm! And, the funny thing is that it's packaged with Andras's DEM 2 RWX!

Message source:

From - Wed Dec 01 14:32:19 2004
X-Account-Key: account2
X-UIDL: UID3623-1083266814
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
Return-Path: <cYqiR at aol.com>
Delivered-To: 1-ricky at whaletech.net
Received: (qmail 3270 invoked from network); 1 Dec 2004 19:44:37 -0000
Received: from dsl081-044-153.lax1.dsl.speakeasy.net (HELO localhost)
(64.81.44.153)
by 69.64.34.187 with SMTP; 1 Dec 2004 19:44:25 -0000
From: <cYqiR at aol.com>
Reply-To: <cYqiR at aol.com>
X-Priority: 3 (Normal)
X-MailScanner: Found to be clean
Subject: Hi, ricky, here´s the archive you requested
To: <ricky at whaletech.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="LhLcOFWrQJFjqsgXfFBUMLyItHUBQfiW"

--LhLcOFWrQJFjqsgXfFBUMLyItHUBQfiW
Content-Type: multipart/alternative;
boundary="dDGfMYvDQiDbNstNcGttDgDBuXDydQYM"

--dDGfMYvDQiDbNstNcGttDgDBuXDydQYM
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

Here´s the document that you had requested.

--dDGfMYvDQiDbNstNcGttDgDBuXDydQYM
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY>
Here´s the document that you had requested.<iframe
src=3Dcid:OSMSyaiClfnVY height=3D0 width=3D0></iframe>
</BODY></HTML>

--dDGfMYvDQiDbNstNcGttDgDBuXDydQYM--

--LhLcOFWrQJFjqsgXfFBUMLyItHUBQfiW
Content-Type: application/x-zip-compressed;
name="dem2rwx612b.zip"
Content-ID: <OSMSyaiClfnVY>
Content-Transfer-Encoding: base64
Content-Disposition: attachment


dem2rwx612b.zip size: 651 KB (667,592 bytes)

Info on the worm:
http://www.sophos.com/virusinfo/analyses/w32torvila.html

Watch your email inboxes.

--

Signed,
TheMask

:: Owner of Delusional-Minds Hosting ::
Free world hosting.. Just a T-Gram will do it.

Dec 1, 2004, 5:30pm

I keep getting worm e-mails from NTL customers.

John

[View Quote]

Dec 1, 2004, 5:42pm

[View Quote] That has no absolute relation to what made this worm unique.. it came
with one of Andras's tools. Think thats kind of awkward?


--

Signed,
TheMask

:: Owner of Delusional-Minds Hosting ::
Free world hosting.. Just a T-Gram will do it.

Dec 1, 2004, 5:51pm

What is to say it is the atcual worm sending it? Someone may have picked up
a worm, packaged it with Andras' tool (and a little modification) and send
it to you disguising it as a worm.

John

[View Quote]

Dec 1, 2004, 5:59pm

At the end of the mime file, it clearly shows some HTML of the popup,
then some breaks, then shows "moo ha ha", and then it says "torvil",
runs a file.. Clearly a worm to the looks of my google search.

--

Signed,
TheMask

:: Owner of Delusional-Minds Hosting ::
Free world hosting.. Just a T-Gram will do it.

Dec 1, 2004, 6:25pm

So someone has made a strange strand of a worm to include Andras' tool?

John

[View Quote]

Dec 1, 2004, 6:42pm

The original file was Andras's tool, and then the other file was the
worm. Thinking i'm a moron and would fall for this, I didn't and I was
of course suspicious why it was coming from a AOL email, and the ip was
a speakeasy dsl line... stolen email, possible proxy to get on aol anyone?

--

Signed,
TheMask

:: Owner of Delusional-Minds Hosting ::
Free world hosting.. Just a T-Gram will do it.

Dec 1, 2004, 6:52pm

you wouldn't need a proxy to send an e-mail as an aol user though O_O

-SWE

[View Quote]

Dec 1, 2004, 7:07pm

Yeah but anyone can send an e-mail from an address even if its not theirs.

John

[View Quote]

Dec 1, 2004, 7:27pm

I keep getting spam from my own domain, stupid ppl how dare they spam from
my address >_<

I've also noticed that for some reason my email address automatically gets
filtered to hotmail's spam so i'm guessing some person with WAY too much
time is sending out spam from me, i doubt it could be a virus or anything
since i have kaspersky and it's a really good scanner, so i dunno >_<

[View Quote]

Dec 1, 2004, 7:29pm

[View Quote] You would if you were trying to be a tricky idiot. AOL allows proxying,
so you can proxy into AOL with whatever proxy, spam emails you're doing
on the hacked AOL screen name. It's actually stupid these days how
people are making their passwords, compromising it to crackers who get
their passwords easy and harvesting their screen names by chatrooms,
profile searches.. You don't know how crappy AOL is.

--

Signed,
TheMask

:: Owner of Delusional-Minds Hosting ::
Free world hosting.. Just a T-Gram will do it.

Dec 2, 2004, 12:21am

[View Quote] Hello Josh,

E-mails looking like they come from other people from your domain, which
in fact are not, is actually common these days.

Worms send themselves to all the main addresses of a domain name, such
as webmaster, support, info, admin, sales, abuse and disguise themselves
as if they were someone else from that domain.

Also, what may be happening, is the worm knows it's sending to
you at yourdomain.com and just changes its own e-mail address to
something at yourdomain.com.

Make sense? No one is spending time doing this manually to spite you.



Yours Sincerely,
Samuël ML Lison

--
DreamCities.net - A Community for All! (http://www.dreamcities.net)
Jobs Available: http://business.dreamcities.net/jobs.html
Contact Me: http://about.dreamcities.net/contact.html

Dec 2, 2004, 4:12pm

Take a look at http://spf.pobox.com/ -- it might help a bit with your
e-mail problem.

-Builderz

[View Quote]

Dec 2, 2004, 4:39pm

Thanks for the link Builderz ... I'm looking at the site as my domain also
gets spam apparently from my domain, which I know is not. I do have to say I
find this complicated tho :o/

LNH



--

[View Quote]

Dec 2, 2004, 6:00pm

Of course it is complicated, Lady. What in life isn't? ;P

-Builderz

[View Quote]

1  |   Order by index