e-mail warning

Chris Gibbs chris at HAWKLORD.UKLINUX.NET
Fri Apr 26 18:37:02 EDT 2002 

Hi,

(to stop this sort of virus affecting you when it comes in: Try to have
your browser configured so it WILL NOT play multi-media! or get your
mail with something that CANNOT play multi media or execut other
programs.  This is still very amature stuff!)

I think I'm getting these from the place they start out, of course I'm
not certain about that.   This shows how out of date I am!   Whatever
the IE 6.0 patch is, its attempting to be (hint: check if files with
these names exist someplace, not saying they will exist, but my guess is
they do on an infected system):

--A66NRz12Xf77R4p8H159
Content-Type:
audio/x-wav;

name=Paths.scr
Content-Transfer-Encoding:
base64
Content-ID: <BL3o920g3V94b0y7Zh>

You dont see it because the message is in HTML.  It definately is not a
wav file, it is actually trying to be a screen saver!

There is also

--A66NRz12Xf77R4p8H159
--A66NRz12Xf77R4p8H159
Content-Type:
application/octet-stream;

name=Theses[1].htm
Content-Transfer-Encoding:
base64
Content-ID: <BL3o920g3V94b0y7Zh>

But it certainly ain't a html file!


Here is the header from another nasty (Ghoa ???) I got in last few days
it is very similar in construction:

>From - Wed Apr 24 22:32:09
2002
Received: by s1.uklinux.net (mbox
hawklord)
 (with Cubic Circle's cucipop (v1.31 1998/05/13) Wed Apr 24 22:41:59
2002)
X-From_: zahar at upsi.edu.my  Wed Apr 24 08:50:34
2002
Return-Path:
<zahar at upsi.edu.my>
Received: from munshi.upsi.edu.my
([202.184.240.6])
        by s1.uklinux.net (8.11.6/8.11.6) with ESMTP id
g3O7nrL23921
        for <chris at hawklord.uklinux.net>; Wed, 24 Apr 2002 08:49:57
+0100
Envelope-To:
<chris at hawklord.uklinux.net>
Received: from Kxietcq (generic20.upsi.edu.my [10.20.0.178] (may be
forged))
        by munshi.upsi.edu.my (8.11.2/8.11.2) with SMTP id
g3O7cVx20725
        for <chris at hawklord.uklinux.net>; Wed, 24 Apr 2002 15:38:31
+0800
Date: Wed, 24 Apr 2002 15:38:31
+0800
Message-Id:
<200204240738.g3O7cVx20725 at munshi.upsi.edu.my>
From: RARS
<RARS at MRCB.COM.MY>
To:
chris at hawklord.uklinux.net
Subject: News
Application
MIME-Version:
1.0
Content-Type:
multipart/alternative;

boundary=M8m5098N2l47q99G48S817HE
X-Mozilla-Status:
8001
X-Mozilla-Status2: 00000000
X-UIDL: 12cc7350edd90100

This one has:

--M8m5098N2l47q99G48S817HE
Content-Type:
audio/x-wav;

name=all.exe
Content-Transfer-Encoding:
base64
Content-ID: <R4RE0Ns1fY8>

and

Content-Type:
application/octet-stream;

name=news.html
Content-Transfer-Encoding:
base64
Content-ID: <R4RE0Ns1fY8>

--

Greasy Truckers Party on the Road  2002
XHawkwind     Tractor / The Way We Live
Wrexham Psychedelic Party - 18th May
Yales Central Station

More information about the boc-l mailing list