[lug] Someone on this list likely has a windows virus

John Starkey jstarkey at advancecreations.com
Mon Apr 29 21:31:32 MDT 2002 

I'm receiving hundreds of these a day on one webmaster alias, and have
been for two weeks. Here's a link someone sent me last night regarding
the virus. Seems it's out of control at the moment.

http://centralcommand.com/april1802.html

I think a certain amount of it is targeted. One subject line that I
receive reads "Webmaster, here's a flash to enjoy". That alias is for a
Flash dev site, maybe a coincidence.

John

On Mon, 2002-04-29 at 12:28, D. Stimits wrote:
> Either someone on this list has a windows virus, or else this list is
> being targeted. Tkil noticed someone sent one of the recent windows
> virii with the header forged to look like me. I just got one forged to
> look like Alan Robertson. I have also received several of what I think
> are Klez virus from non-BLUG sources, the epidemic seems to be started
> again. But since this virus goes after everyone in the address book, and
> probably everyone new mail arrives from, and since my name was forged in
> to Tkil's email, and Alan Robertson's was forged into one sent to me,
> all within the last few days, it makes sense. One thing that is in
> common to every one of these is verizon.net in the return path. Verizon
> is the common theme in the ones reaching me, regardless of whether it is
> forged to look like someone from BLUG or from someone I don't recognize.
> In tracing the actual dotted decimal address from the header of email
> forging Alan Robertson's name, I found the real source was owned by what
> looks like a Brazil domain, though I'm not positive (and I have recently
> sent spam reports to spamcop about Brazilian unsolicited spam, some Mac
> advertisement I think, but I don't speak the language). Anyway, I am
> wondering how many people here have received messages which use the name
> of someone from the BLUG list, beside me and tkil? How many have
> recently received email which has a stupid subject like the one from the
> most recent for me, "Look,my beautiful girl friend"? Below I'm going to
> mouse paste the header and the virus indicator part, maybe someone can
> get an idea. I'd also like to figure out who to complain to at
> 150.162.47.13. I'll be sending an email to verizon as well, since they
> seem to be targeted to take the blame. Anyway, info follows below. Hope
> it doesn't false trigger someone's virus software (though I can't
> imagine a lot of people here are using windows, and even if they are,
> most will use antivirus with it).
> 
> D. Stimits, stimits at idcomm.com
> 
> Return-Path: <alanr at verizon.net>
> Received: from brainstem.idcomm.com (brainstem.idcomm.com
> [207.40.196.12])
>         by mailhost.idcomm.com (8.10.2/8.10.0) with ESMTP id
> g3TEEE932388
>         for <stimits at idcomm.com>; Mon, 29 Apr 2002 08:14:14 -0600
> Received: from out006.verizon.net (out006pub.verizon.net
> [206.46.170.106])
>         by brainstem.idcomm.com (8.11.6/8.11.6) with ESMTP id
> g3TE71Q27056
>         for <stimits at idcomm.com>; Mon, 29 Apr 2002 08:07:04 -0600
> X-Spam-Filter: check_local at brainstem.idcomm.com by digitalanswers.org
> Received: from Lfuoq ([150.162.47.13]) by out006.verizon.net
>           (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with
> SMTP
>           id <20020429140914.CVEK2106.out006.verizon.net at Lfuoq>
>           for <stimits at idcomm.com>; Mon, 29 Apr 2002 09:09:14 -0500
> From: alanr <alanr at suse.com>
> To: stimits at idcomm.com
> Subject: Look,my beautiful girl friend
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>         boundary=Fw1U6gp28173p81vhoFB58Zw5RQu6JB84Kp
> Message-Id: <20020429140914.CVEK2106.out006.verizon.net at Lfuoq>
> Date: Mon, 29 Apr 2002 09:09:19 -0500
> X-Mozilla-Status: 8001
> X-Mozilla-Status2: 00000000
> X-UIDL: _J6H.2UVz8.mailhost
> 
> --Fw1U6gp28173p81vhoFB58Zw5RQu6JB84Kp
> Content-Type: text/html;
> Content-Transfer-Encoding: quoted-printable
> 
> <HTML><HEAD></HEAD><BODY>
> <iframe src=3Dcid:Cq2e2IcsWGC2q height=3D0 width=3D0>
> </iframe>
> <FONT></FONT></BODY></HTML>
> 
> --Fw1U6gp28173p81vhoFB58Zw5RQu6JB84Kp
> Content-Type: audio/x-wav;
>         name=target.bat
> Content-Transfer-Encoding: base64
> Content-ID: <Cq2e2IcsWGC2q>
> 
> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g
> 
> ...snip...this is the executable in base64 encoding...
> 
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=9
> --Fw1U6gp28173p81vhoFB58Zw5RQu6JB84Kp
> 
> Content-Type: application/octet-stream;
>         name=site=uolbr&size=popup&page=0&stat=corposaude[1].htm
> Content-Transfer-Encoding: base64
> Content-ID: <Cq2e2IcsWGC2q>
> 
> PGEgdGFyZ2V0PSJfYmxhbmsiIGhyZWY9Ii9ldmVudC5uZy9UeXBlPWNsaWNrJlByb2ZpbGVJ
> RD0xMjg3JlJ1bklEPTkwNDYmQWRJRD00MjQ4JlRhZ1ZhbHVlcz0yMDYuMjQzLjMyNi4xOTI3
> JkZhbWlseUlEPTI3MSZHcm91cElEPTEmUmVkaXJlY3Q9aHR0cDolMkYlMkZ3d3cubWVyY2Fk
> b2xpdnJlLmNvbS5iciUyRmJyYXNpbCUyRm1sJTJGcG1zJTNGc2l0ZSUzRDIxMTU1NyUyNmlk
> JTNEMjAyMSUyNmFzX29wdCUzRGh0dHA6JTJGJTJGd3d3Lm1lcmNhZG9saXZyZS5jb20lMkZv
> cmctaW1nJTJGaHRtbCUyRk1MQiUyRnNlbWFuYWxfZW5jaHVmYXRlLmh0bWwiPjxpbWcgc3Jj
> PSJodHRwOi8vYmFubmVycy5pbWcudW9sLmNvbS5ici9tZXJjYWRvbGl2cmVfdW9sX3BvcF84
> NS5naWYiIGJvcmRlcj0wIGhlaWdodD0yMTUgd2lkdGg9MjUwIGFsdD0iIj48L2E+
> --Fw1U6gp28173p81vhoFB58Zw5RQu6JB84Kp--
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

More information about the LUG mailing list