[Techtalk] possible virus for a Linuxchick
Carla Schroder
carla at bratgrrl.com
Fri Aug 1 19:11:09 EST 2003
Hi gang,
There was a thread back on Nov 21, 2002 with the subject line 'new spam
thingy'. Well today look what landed in my mailbox, I suspect someone who
posted in that thread has picked up a virus:
"ALERT - GroupShield ticket number OB185_1059781045_NT-EXCHANGE_1 was
generated
From: "GroupShield for Exchange (NT-EXCHANGE)"
<NAIGNVNT-EXCHANGE at mail.ifas.ufl.edu>
To: 'Carla Schroder' <carla at bratgrrl.com>, "'techtalk at linuxchix.org'"
<techtalk at linuxchix.org>
Action Taken:
The message was quarantined and replaced with a text informing the recipient
of the action taken.
To:
techtalk at linuxchix.org <techtalk at linuxchix.org>
From:
Carla Schroder <carla at bratgrrl.com>
Sent:
-595367808,29579397
Subject:
Re: [Techtalk] new spam thingy
Attachment Details:-
Attachment Name: N/A
File: Infected.msg
Infected? Yes
Repaired? No
Blocked? No
Deleted? No
Virus Name: Exploit-MIME.gen.b"
This message is also an interesting exercise in lameness and idiocy: the
bounce response is put in an attachment, and what's really lame is it's in
the proprietary TNEF format, which only Lookout can read. Way to go,
exchange admins. Just because it's the default doesn't make it right.
This particular virus is sort of a 'doorknob rattler', it looks for
exploitable Outlook and Outlook Exchange setups, and sets up housekeeping for
more serious exploits. I don't have complete archives from that far back,
anyone using Outlook and Outlook Exchange should examine their system.
Full headers below my sig.
--
~~~~~~~~~~~~~~~~~~~~~~~~~
Carla Schroder
www.tuxcomputing.com
this message brought to you
by Libranet 2.7 and Kmail
~~~~~~~~~~~~~~~~~~~~~~~~~
Return-path: <alrac444 at serve.wwwroot11.net>
Envelope-to: carla at bratgrrl.com
Delivery-date: Fri, 01 Aug 2003 18:39:18 -0500
Received: from alrac444 by serve.wwwroot11.net with local-bsmtp (Exim 4.20)
id 19ijUU-0000xi-0n
for carla at bratgrrl.com; Fri, 01 Aug 2003 18:39:18 -0500
Received: from [128.227.242.250] (helo=nt-exchange.ifas.ufl.edu)
by serve.wwwroot11.net with esmtp (Exim 4.20)
id 19ijUT-0000xf-Qh
for carla at bratgrrl.com; Fri, 01 Aug 2003 18:39:17 -0500
Received: by nt-exchange.ifas.ufl.edu with Internet Mail Service (5.5.2655.55)
id <QCYXHLLR>; Fri, 1 Aug 2003 19:37:28 -0400
Message-ID:
<6D9F17809993D31198B100508B62016115D47DCA at nt-exchange.ifas.ufl.edu>
From: "GroupShield for Exchange (NT-EXCHANGE)"
<NAIGNVNT-EXCHANGE at mail.ifas.ufl.edu>
To: 'Carla Schroder' <carla at bratgrrl.com>,
"'techtalk at linuxchix.org'"
<techtalk at linuxchix.org>
Subject: ALERT - GroupShield ticket number OB185_1059781045_NT-EXCHANGE_1
was generated
Date: Fri, 1 Aug 2003 19:37:27 -0400
X-MS-TNEF-Correlator:
<6D9F17809993D31198B100508B62016115D47DCA at nt-exchange.ifas.ufl.edu>
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2655.55)
Content-Type: multipart/mixed;
boundary="----_=_NextPart_000_01C35885.DE00E0C0"
X-Spam-Status: No, hits=0.0 required=5.0
tests=none
version=2.55
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
Status: R
X-Status: N
X-KMail-EncryptionState:
X-KMail-SignatureState:
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_000_01C35885.DE00E0C0
Content-Type: text/plain
Action Taken:
The message was quarantined and replaced with a text informing the recipient
of the action taken.
To:
techtalk at linuxchix.org <techtalk at linuxchix.org>
From:
Carla Schroder <carla at bratgrrl.com>
Sent:
-595367808,29579397
Subject:
Re: [Techtalk] new spam thingy
Attachment Details:-
Attachment Name: N/A
File: Infected.msg
Infected? Yes
Repaired? No
Blocked? No
Deleted? No
Virus Name: Exploit-MIME.gen.b
------_=_NextPart_000_01C35885.DE00E0C0
Content-Type: application/ms-tnef
Content-Transfer-Encoding: base64
<1.8k of binary code snippped, sheesh!>
More information about the Techtalk
mailing list