| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News |
[cut-n-paste from sophos.com]
Troj/Tofger-L
Aliases
TrojanDropper.Win32.Small.dd, Backdoor.Tofger
Type
Trojan
Detection
At the time of writing Sophos has received no reports from users
affected by this Trojan. However, we have issued this advisory following
enquiries to our support department from customers.
Description
Troj/Tofger-L is a keylogging Trojan.
In order to run automatically when Windows starts up Troj/Tofger-L copies
itself to the file SURTE.EXE in the Windows folder and adds the following
registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Online Service
The Trojan also drops a utility library file MSTO32.DLL (detected as
Troj/Tofger-C) and creates the text file SYSINI.INI in the Windows
folder.
When Troj/Tofger-L detects an active internet connection it captures
keystrokes typed into Internet Explorer and sends the information to a
remote internet address.
W32/Opaserv-S
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Opaserv-S is a worm that spreads on Windows shares exploiting a
weakness available on unpatched Win95/98 based systems.
In order to run automatically when Windows starts up the worm copies
itself to the file natal!.pif in the Windows folder and adds the
following registry entry pointing to this file:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\4wd!!!
The worm also creates the log files natlog, natlog2, natsout.gay and
natsin.gay in the Windows folder.
W32/Opaserv-S attempts to access remote websites to register itself and
attempts to download and execute files from several sites probably to
update itself. The websites used by the worm are not available at the
time of writing.
The worm attempts to infect remote computers by scanning local subnets
for vulnerable systems, copying itself across to the file
C:\Windows\natal!.pif and by replacing the file win.ini on the remote
machine with a version that starts the worm automatically when Windows
boots up.
The worm temporarily creates the text file C:\lammer!.
W32/Bodiru-A
Aliases
W32.HLLW.Bodiru, PE_Bodiru.A
Type
Win32 worm
Detection
At the time of writing Sophos has received no reports from users
affected by this worm. However, we have issued this advisory following
enquiries to our support department from customers.
Description
W32/Bodiru-A is a worm that uses peer-to-peer networks to spread. When
run, the worm creates a large number of copies of itself in the Incoming
folders of the popular peer-to-peer file sharing networks KaZaA, Kazaa
Lite K++, Edonkey2000 and Emule.
W32/Bodiru-A uses the following filenames:
ACDSee 5.5.exe
AOL Instant Messenger Crasher.exe
AVP Antivirus Pro Key Crack.exe
Adobe_Keyge.exe
Age of Empires 2 crack.exe
Aim bot ut3.exe
All Microsoft Products CD Key Generator.exe
All Norton Antivirus KEys!.exe
Ana Kournikova Sex Video (downloader).exe
Animated Screen 7.exe
Any Nick Name Msn 6.0.exe
Aol_cracker.exe
AquaNox2 Crack.exe
Audiograbber 2.05.exe
BabeFest 2003 ScreenSaver 1.6.exe
Battlefield1942_bloodpatch.exe
Battlefield1942_keygen.exe
Britney Spears Sex Video.exe
Buffy Vampire Slayer Movie.exe
BurnDvds.exe
Business Card Designer Plus 7.9.exe
Clone CD 5.0.0.3 (crack).exe
Clone CD 5.0.0.3.exe
Cool Edit Pro v2.55.exe
Counter Strike - See Through Walls.exe
Crack Passwords Mail.exe
Credit Card Numbers generator(incl Visa,MasterCard).exe
Credit_Card_Numbers_generator.exe
DVD Copy Plus v5.0.exe
DVD Region-Free 2.3.exe
Darkness_Krew.exe
DeadAim 4.0 KeyGen.exe
Diablo 3 Crack.exe
Diablo_2_Crack.exe
DirectDVD 5.0.exe
DirectX Buster (all versions).exe
DivX Video Bundle 6.5.exe
Divx_Pro_5.1_Serial.exe
Divx_pro (FINAL!).exe
Doom III (Cd KEys).exe
Download Accelerator Plus 6.1.exe
Dvd_Plus_Crack.exe
Dvd_Ripper(The Best 04).exe
Dvd_To_Vcd.exe
Easy_Dvd_Ripper.exe
Easy_Dvd_creator_Crack.exe
Edonkey2000-Speed me up scotty.exe
FIFA2003 crack.exe
Fifa 2004 (Cd Crack).exe
Final Fantasy VII XP Patch 1.5.exe
Flash MX crack (trial).exe
FlashGet 1.5.exe
FreeRAM XP Pro 1.9.exe
GTA 3 Crack.exe
GTA 3 Serial.exe
Game Cube Real Emulator.exe
GetRight 5.0a.exe
Gothic2 licence.exe
Guitar Chords Library 5.5.exe
Hack Any Kazaa User.exe
Hack The School.exe
Hack Website Easy.exe
Hacker_The_LoveStory.exe
Half Life 2 (Cd Crack).exe
Half Life 2 (cd Keys).exe
Harry potter2 Crack.exe
Hitman_2_no_cd_crack.exe
Hotmail Hacker Gold (All Msn Versions!).exe
Hotmail_Hacker_2003-Xss_Exploit.exe
Ip Nuker V6 (Reall Works).exe
KaZaA Hack 2.5.0.exe
KaZaA Speedup 3.6.exe
KaZaA-Hack_2.5.0.exe
Kazaa Lite )FINALL!(.exe
Kazaa SDK + Xbit speedUp for 2.xx.exe
LYNDEN.exe
Links 2003 Golf game (crack).exe
Living Waterfalls 1.3.exe
Love.exe
MSN Password Hacker 5.7 (worked on my ex-girlfriend!).exe
MWorld Of Warcraft (FULL) Installer and Downloader.exe
Macromedia product keys.exe
Macromedia_Keygen.exe
Mafia_crack.exe
Mail Bomber For msn messsenger 6.0.exe
Matrix Screensaver 1.5.exe
Mcafee Antivirus Scan Crack.exe
MediaPlayer Update.exe
Messenger Plus Latest!.exe
Microsoft .NET hack.exe
Microsoft KeyGenerator-Allmost all microsoft stuff.exe
Msn 6.0 (Multi Messenger).exe
Msn 6.0 Crasher!.exe
Msn 6.0 Kicker.exe
Msn 6.0 Password Cracker.exe
Msn Emotions (Version 6.0).exe
Msn Emotions (Version 6.1).exe
Msn Ip Finder 2004.exe
Msn Messenger 6.0 Bomber!.exe
Msn Messenger Betta 6.2.exe
Music Download 2003 (Full Albums).exe
NBA2003_crack.exe
Need 4 Speed crack.exe
Nero_Burning_Rom_Crack.exe
Netbios Nuker 2003.exe
Netbios Nuker 2004.exe
Netfast 1.8.exe
Network Cable e ADSL Speed 2.0.5.exe
Nimo CodecPack (new) 8.0.exe
Nimo_Codec_PackUpdater.exe
Norton Anvirus Key Crack.exe
PS2 PlayStation Simulator.exe
PalTalk 5.01b.exe
Panda Antivirus Titanium Crack.exe
Pop-Up Stopper 3.5.exe
Popup Defender 6.5.exe
Ps2 Real Emulator.exe
Quake 3 Keygen (works Great).exe
Quake3 - See through wallz.exe
Quick Time Key Crack.exe
QuickTime_Pro_Crack.exe
Real Sex Toys!.exe
Screen saver christina aguilera naked.exe
Security-2003-Update.exe
Serials 2003 v.8.0 Full.exe
Serials 2004 v.8.0 Full.exe
SmartFTP 2.0.0.exe
SmartRipper v2.7.exe
Space Invaders 1978.exe
Splinter_Cell_Crack.exe
Starcraft serials.exe
Stripping MP3 dancer+crack.exe
Sub 7 2.9.exe
Trillian 0.85 (free).exe
TweakAll 3.8.exe
UT2003_bloodpatch.exe
UT2003_keygen.exe
UT2003_no cd (crack).exe
UT2003_patch.exe
Unreal Tournament 2003 (Cd Crack).exe
Unreal Tournament 2003 (Cd KEys).exe
Unreal2_bloodpatch.exe
Unreal2_crack.exe
VB6.exe
Visual Basic (ALL KEYS GEN).exe
Visual Basic 6.0 Msdn Plugin.exe
Visual Basic Decompiler.exe
WarCraft_3_crack.exe
WinOnCD 4 PE_crack.exe
WinRar 3.xx Password Cracker.exe
WinZip 9.0b (CRACK).exe
WinZip 9.0b.exe
WinZipped Visual C++ Tutorial.exe
WindowBlinds_4.0.exe
Windows XP complete + serial.exe
Windows Xp Exploit.exe
Winzip KeyGenerator Crack.exe
XNuker 2003 2.93b.exe
XNuker_2003_2.93b.exe
Xvid_Codec_Installer.exe
Yahoo Account Stealer.exe
Yahoo Messenger 6.0.exe
Zelda Classic 2.00.exe
aol password cracker.exe
cable modem ultility pack.exe
cable modem.exe
counter-strike.exe
mIRC 6.40.exe
pamela_anderson.exe
play station emulator.exe
serials2000.exe
warcraft 3 crack (Really Works).exe
warcraft 3 serials.exe
winamp plugin pack.exe
winzip full version key generator.exe
The worm may drop and run a batch file c:\dllsystemhelp.bat. The script
contains instructions to enable sharing of the local drives.
W32/Bodiru-A creates the following registry value so that the worm file
is run during the Windows startup process:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\App.EXEName
W32/Bodiru-A attempts to infect the following files:
C:\Program Files\WinZip\WINZIP32.EXE
C:\Program Files\Norton AntiVirus\Navw32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\Wscript.exe
C:\Windows\Rundll.exe
C:\Windows\Rundll32.exe
C:\winnt\Regedit.exe
C:\Windows\System\Underwater.scr
C:\windows\Regedit.exe
C:\winnt\system32/Regedit.exe
The infection routine incorrectly infects files so that they become
corrupt.
W32/Bodiru-A launches a denial-of-service attack against symantec.com
and mess.be using ICMP ping flooding, sending large packets to the
destination.
The worm attempts to terminate processes related to anti-virus and
security software using this list:
_AVP.EXE
_AVP32.EXE
_AVPM.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPMON.EXE
AVPNT.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CCAPP.EXE
CFIADMIN.EXE
ESAFE.EXE
CFIAUDIT.EXE
CFIND.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLAW95CT.EXE
CLEANER.EXE
CLEANER3.EXE
DV95.EXE
DV95_O.EXE
DVP95.EXE
DVP95_0.EXE
TerminateEXE
ECENGINE.EXE
EFINET32.EXE
ESPWATCH.EXE
F-AGNT95.EXE
FINDVIRU.EXE
FPROT.EXE
F-PROT.EXE
FPROT95.EXE
F-PROT95.EXE
FP-WIN.EXE
FRW.EXE
F-STOPW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICMOON.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
JED.EXE
JEDI.EXE
KPF.EXE
KPFW32.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCAN.EXE
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVSCHED.EXE
NAVW.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VCONTROL.EXE
VET32.EXE
VET95.EXE
VET98.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSCAN40.EXE
VSSTAT.EXE
WEBSCAN.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZAPRO.EXE
zonealarm.EXE
mcafee.exe
navapsvc.exe
zaplus.exe
vsmon.exe
W32/Sober-C
Aliases
I-Worm.Sober.c, W95/Sober.C{at}mm, W32/Sober.c{at}MM, Win32/Sober.C,
WORM_SOBER.C
Type
Win32 worm
Detection
Sophos has received many reports of this worm from the wild.
Description
W32/Sober-C is an internet worm which spreads via file sharing on
peer-to-peer networks and by emailing itself to addresses found within
files on the computer.
The email subject line and message text are randomly chosen from
internal lists and will be in either English or German.
Example subject lines include:
ups, i've got your mail
Sorry, thats your mail
hi, its me
Thank You very very much
you are an idiot
why me?
I hate you
Preliminary investigation were started
Your IP was logged
You use illegal File Sharing ...
A Trojan horse is on your PC
a trojan is on your computer!
Anime, Pokemon, Manga, ...
Caution: To all gamers
Attention: To all gamers
Anmeldebestätigung
Bankverbindungs- Daten
Sie sind ein Raubkopierer
The following are examples of possible message texts:
"Sehr geehrter Kunde,
Vielen Dank für Ihre Anmeldung auf unserem Server.
Der Betrag von Euro 279,- wurde erfolgreich von Ihrem Konto abgebucht.
Ihnen stehen nun 1 Jahr lang mehr als 2300 sehr sehr heiße
Internet Seiten zur Verfügung.
Wir bedauern, das es im Vorfeld so lange gedauert hat,
unser Mail Dienst hatte diese Daten auf einen anderen E-Mail Empfänger
geschickt.
Da nun dieser Fehler behoben zu sein scheint, wünschen wir Ihnen
viel Spass mit unserem Angebot!
Die Seiten die Sie nun aufrufen können und die Zugangsdaten
befinden sich gesichert im Anhang."
"hi, I am from Austria and you'll don't believe me,
but a trojan horse in on your pc.
I've scanned the network-ports on the internet.
And I have found your pc.
Your pc is open on the internet for everybody!
Because the >filename<.exe trojan is running on your system.
Check this, open the task manager and try to stop that!
You'll see, you can't stop this trojan.
When you use win98/me you can't see the trojan!!
On my system was this trojan, too!
And I've found a tool to kill that bad thing.
I hope that I've helped you!"
The attachment filename is also randomly chosen from an internal list
and can have an extension of EXE, SCR, PIF, COM, CMD or BAT. Examples
include:
www.iq4you-german-test.com
www.freewantiv.com
www.free4manga.com
www.free4share4you.com
www.tagespolitik-umfragen.com
www.onlinegamerspro-worm.com
www.freegames4you-gzone.com
www.boards4all-terror432.com
www.anime4allfree.com
www.animepage43252.com
When first run, the worm copies itself to the Windows system folder as
syshostx.exe and two other randomly selected filenames.
W32/Sober-C then creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
that point to the two copies of the worm with randomly selected
filenames to ensure it is run at system logon.
The following files are also created in the Windows system folder:
ms16taskwin.exe
savesyss.dll
Humgly.lkur
yfjq.yqwm
These files are not malicious and can simply be deleted.
W32/Sober-C copies itself to the My Shared Folder in the KaZaA folder
replacing existing executables that have an extension of COM, EXE, SCR,
BAT, CMD or PIF.
W32/Sober-B
Aliases
Worm/Sober.B
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Sober-B is worm that spreads via email, network shares and
filesharing networks.
When first executed the worm displays a bogus error message 'Header
corrupt'.
W32/Sober-B harvests email addresses by scanning the filesystem for
files with one of the following extensions:
HTT, RTF, DOC, XLS, INI, MDB, TXT, HTM, HTML, WAB, PST, FDB, CFG, LDB,
EML, ABC, LDIF, NAB, ADP, MDW, MDA, MDE, ADE, SLN, DSW, DSP, VAP, PHP,
NSF, ASP, SHTML, SHTM, DBX, HLP, MHT, NFO
The harvested addresses are stored in the log file mscolmon.ocx in the
Windows system folder. A file Humgly.lkur is created in the Windows
system folder. These files are not malicious and can be deleted.
The worm may arrive in an email that is written in either English or
German.
For the German email the subject line, message text and attachment
filename are chosen randomly from the following selection:
Subject line:
Hihi, ich war auf deinem Computer
Du bist Ge-Hackt worden
Ich habe Sie Ge-hackt
Der Kannibale von Rotenburg
Message text:
Nette, ungewöhnliche und ausgefallene Sachen hast du da
auf deinem Computer! (Was soll man dazu noch sagen)
Ich überlege mir schon die ganze Zeit, ob ich ein paar deiner Dateien
im Internet auf einer Web-Seite stellen soll!
Weil, genug Stoff habe ich ja von Dir! (Muhahahah)
Du fragst dich sicherlich, was ich alles von Dir habe,,,, siehe selbst
Was wohl gewisse Behörden dazu sagen würden? **hust*
Ich weiss nicht so recht, soll ich dich bestechen oder
die Behörden einschalten ???
Du kannst jetzt ruhig Deine Dateien löschen oder sonst was, aber
nützen wird es Dir wenig, weil ich sie auch habe!
Wenn du meinst das ich Mist rede, dann sehe Dir die Datei-Liste an.
Dann siehst du, was ich alles von Dir habe.
Na ja,, ich melde mich nächste Woche noch einmal!
Entschuldigen Sie bitte diese überaus deutliche Betreffzeile!
Aber ein neuer Dialer macht mit dieser Überschrift unzählige User zu Opfern.
Die User werden mit dem versprechen gelockt, sich das
äusserts abscheuliche Tat- Video anzuschauen zu d
Stattdessen aber, installiert sich ein sehr teurer Dialer und ein
Virus auf dem PC.
Da aber unzählige User auf diese Finte hereinfallen, haben wir mit
Zustimmung des Bundeskriminalamtes BKA, eine Web-Seite erstellt,
wo einige dieser äusserts brisanten Fotos und Videos
einzusehen sind, um den Leuten die Neugier zu nehmen.
natürlich sind diese Videos und Fotos leicht zensiert worden.
Um auf diesen Web-Server zu gelangen, müssen Sie zuerst bestätigen,
dass Sie das 18 Lebensjahr bereits vollendet haben.
Wir bitten sie ausdrücklichst, keine Kinder diese Seite einsehen zu lassen.
I.A.: Dieter Braun
----- MultiMedia AG München ia. BKA (ORG. Rund-Mail V6.02)
Geschaeftsfuehere: Michael Leuningen (089/8941440) FAX: 089/89414434
Attached file:
DateiList.pif
Daten-Text.pif
Server.com
For the English email the worm selects one of the following
possibilities:
Subject line:
George W. Bush wants a new war
George W. Bush plans new wars
You Got Hacked
Have you been hacked?
Message text:
Bush plans new wars against China, Cuba and Iran.
Please visit our website and vote against this very crazy war(s).
More information:
by me,, idiot!
haha, very nice files on your system.
i've made a website. i show your files on this website hahaha
visit:
YA of me
a great many files on your pc and very very interesting
what would say the police?!,,, i don't know .-]
files of you
See:
Attached file:
www.gwbush-new-wars.com
www.hcket-user-pcs.com
allfiles.cmd
yourlist.pif
W32/Sober-B creates two copies of itself in the Windows system folder
using random filenames and executes them.
In order to be started automatically when Windows boots up the worm sets
a random registry entry below
HKLM\Software\Microsoft\Windows\CurrentVersion\Run,
pointing to one of the two files.
These two processes will re-spawn each other and restore the registry
entry if one of them is killed or the registry entry deleted.
In addition, the worm will also copy itself to the Windows system folder
using the fixed filename spooler.exe.
In order to spread via filesharing networks W32/Sober-B replaces files
found in the shared folders of popular peer-to-peer networks with a copy
of itself.
W32/Agobot-BM
Aliases
Backdoor.Agobot.3.gen, W32.HLLW.Gaobot.AO
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Agobot-BM is an IRC backdoor Trojan and network worm.
W32/Agobot-BM is capable of spreading to computers on the local network
protected by weak passwords. The worm can also spread to other machines
using certain vulnerabilities.
When first run, W32/Agobot-BM copies itself to the Windows system folder
as wmplayer.exe and creates the following registry entries so that
wmplayer.exe is run automatically on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Media Player = wmplayer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Media Player = wmplayer.exe
The worm runs in the background as a service process named "Windows
Media Player".
Each time W32/Agobot-BM is run it attempts to connect to a remote IRC
server, join a specific channel and wait for backdoor commands.
W32/Agobot-BM attempts to terminate and disable various security-related
programs and attempts to prevent its own process from being deleted.
Troj/Uproot-A
Aliases
Backdoor.UpRootKit, Backdoor.Uprootkit, Backdoor.Uprootkit.cli
Type
Trojan
Detection
At the time of writing Sophos has received no reports from users
affected by this Trojan. However, we have issued this advisory following
enquiries to our support department from customers.
Description
Troj/UpRoot-A is a backdoor Trojan for Windows 2000/XP that allows a
malicious user remote access to the system. The Trojan can use the ICMP
as well as the TCP or UDP protocols on configurable ports for
communication.
In order to run automatically when Windows starts up the Trojan copies
itself to the Windows system folder as uprootkit.exe and registers
itself as the service process uprootkit.
W32/Mimail-M
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Mimail-M is a worm which spreads via email using addresses harvested
from the hard drive of the infected computer. All email addresses found
on the computer are saved in a file named xjwu2.tmp in the Windows
folder.
The worm copies itself to the Windows folder with the filename
netmon.exe and creates the following registry entry so that this file is
run when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetMon
W32/Mimail-M can arrive in three different email formats. Some users may
find the explicit language used by the worm offensive.
The first type of email the worm can send has the following
characteristics:
Subject line: Re[3]<44 spaces><random characters>
Message text:
Hello Greg,
I was shocked, when I found out that it wasn't you but your twin
brother!!! That's amazing, you're as like as two peas. No one in bed is
better than you Greg. I remember, I remember everything very well, that
promised you to tell how it was, I'll give you a call today after 9.
He took my skirt off, then my panties, then my bra, he sucked my tits,
with the same fury you do it. He was writing alphabet on my pussy for 20
minutes, then suddenly stopped, put me in doggy style position and stuck
his dagger.But Greg, why didn't you warn me that his dick is 15 inches
long?? I was struck, we fucked whole night.
I'm so thankful to you, for acquainted me to your brother. I think we
can do it on the next Saturday all three together? What do you think? O
yes, as you wanted I've made a few pictures check them out in archive,
I hope they will excite you, and you will dream of our new meeting...
Wendy.
Attached file: only_for_greg.zip (contains for_greg.jpg.exe)
The second email format, which appears to have been manually
mass-mailed out, has the following characteristics:
Subject line: Re:Greg
Message text:
Hi Greg its Wendy.
I was shocked, when I found out that it wasn't you but your twin brother,
that's amazing, you're as like as two peas. No one in bed is better than
you Greg. I remember, I remember everything very well, that promised you
to tell how it was, I'll give you a call today after 9.
He took my skirt off, then my panties, then my bra, he sucked my tits,
with the same fury you do it. He was writing alphabet on my pussy for 20
minutes, then suddenly stopped, put me in doggy style position and stuck
his dagger. But Greg, why didn't you warn me that his dick is 15 inches
long? I was struck, we fucked whole night.
I'm so thankful to you, for acquainted me to your brother. I think we
can do it on the next Saturday all three together? What do you think? O
yes, as you wanted I've made a few pictures check them out in archive, I
hope they will excite you, and you will dream of our new meeting...
For unzip archiver download WinZip:
http://download.winzip.com/winzip81.exe
Password for archive is "kiss".
Attached file: wendy.zip (contains file wendy.exe)
The third email format also appears to have been delibarately
mass-mailed and has the following characteristics:
Subject line: Your message delivery has been failed
Message text:
This is the Postfix program at host
I'm sorry to have to inform you that the message returned below could
not be delivered to one or more destinations.
The message itself and all the other important information are included
into the attachment.
Attached file: fail.hta (contains file test.exe)
W32/Mimail-M creates a copy of itself named nji2.tmp and a copy of
only_for_greg.zip named msi2.tmp, both in the Windows folder.
W32/Mimail-M also attempts a denial of service attack targeting:
darkprofits.com
darkprofits.net
darkprofits.cc
darkprofits.ws
www.darkprofits.com
www.darkprofits.net
www.darkprofits.cc
www.darkprofits.ws
VBS/Suzer-B
Aliases
TrojanDropper.VBS.Inor.u, VBS/Inor, Download.Trojan
Type
Trojan
Detection
Sophos has received several reports of this Trojan from the wild.
Description
VBS/Suzer-B is a Trojan that drops and executes Troj/Cidra-A as
usb_d.exe.
Troj/Antikl-Dam
Type
Trojan
Detection
Sophos has received several reports of this Trojan from the wild.
Description
Troj/Antikl-Dam is a corrupt (truncated), non-executable Trojan that is
being seeded via an email that contains the following text:
"Dear customer,
The security of your personal and account information is extremely
important to us. By practicing good security habits, you can help us
ensure that your private information is protected. Please install our
special software, that will remove all the keyloggers and backdoors
from your computer.
And will help us to prevent credit card fraud in future.
Thank you.
Best regards,
"
where has been seen to be the name of a banking institution.
The From address is likely to be admin{at}.com
W32/Agobot-BT
Aliases
W32.HLLW.Gaobot.gen
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Agobot-BT is a network worm which also allows unauthorised remote
access to the computer via IRC channels.
W32/Agobot-BT copies itself to network shares with weak passwords and
attempts to spread to computers using the DCOM RPC and the RPC locator
vulnerabilities.
These vulnerabilities allow the worm to execute its code on target
computers with System level priviledges. For further information on
these vulnerabilities and for details on how to protect/patch the
computer against such attacks please see Microsoft security bulletins
MS03-001 and MS03-026. MS03-026 has been superseded by Microsoft
security bulletin MS03-039.
W32/Agobot-BT copies itself to the Windows system folder as sysinfo.exe
and creates the following registry entries to run itself on system
restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loader
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration Loader
Each time W32/Agobot-BT is run it attempts to connect to a remote IRC
server and join a specific channel.
W32/Agobot-BT attempts to terminate various processes related to
anti-virus and security software (e.g. SWEEP95.EXE, BLACKICE.EXE and
ZONEALARM.EXE).
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.