Re: [sniffer] New, but broken worm?

Fri, 22 Jul 2005 16:12:15 -0700 

Here is from an actual email:
Received: from dslgw.aebc.com [209.53.208.34] by smtp.aebc.com with ESMTP
  (SMTPD32-7.15) id AC7177D0202; Fri, 22 Jul 2005 12:43:45 -0700
Received: from Backoffice.net ([10.100.5.86])
        by dslgw.aebc.com (8.13.3/8.13.3) with SMTP id j6MJjcUt037787
        for <[EMAIL PROTECTED]>; Fri, 22 Jul 2005 12:45:39 -0700 (PDT)
        (envelope-from [EMAIL PROTECTED])
Date: Fri, 22 Jul 2005 12:42:53 -0800
To: "Alogih" <[EMAIL PROTECTED]>
From: "Alogigan" <[EMAIL PROTECTED]>
Subject: 1
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="--------bnvpivwootlffrgmzscp"

----------bnvpivwootlffrgmzscp
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit

<html><body>
1<br><br>

<br>
</body></html>

----------bnvpivwootlffrgmzscp
Content-Type: application/octet-stream; name="1.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="1.txt"

ICA=x

----------bnvpivwootlffrgmzscp--



Pete McNeil wrote:

On Friday, July 22, 2005, 6:53:57 PM, Andrew wrote:

CA> My email server has received about 200 of a certain message since 8:30
CA> AM PDT.

CA> The Subject line is merely "1", the forged mailfrom is approximately the
CA> first 8 characters of the target address plus a forged domain.  There is
CA> an attachment called "1.txt" and a message text body that begins on a
CA> new line "ICA=" plus three characters, the first one of which may be
CA> low-bit ASCII and the second two are high-bit.

CA> The sources include zombie networks, normal mail servers, and bounced
CA> messages from normal servers.

CA> I've sent a bunch of samples to the usual spam@ address and thought I'd
CA> make a more general posting here.  My guess is that it's a new worm, and
CA> that it's broken.

CA> Incidentally, I don't think this is related to a current spam campaign
CA> in which the Subject: line includes a number inside of square brackets.
CA> I just thought I'd head off that distraction.

I'm on updates this evening. I'll watch for this. It sounds like
something that requires an abstract rule --- probably not enough
content for the other coders to try it safely... I am surprized I
didn't hear about it though...

Please send me another note with a few of these as attachments (even
better if they are raw files from your mail queue - that way there
will be no re-coding by any mail clients) -- send to our support@
address. If they get through then that means we're not filtering them
yet -- I'll use them as examples and will try to code a complex rule
that's safe.

Thanks!

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Reply via email to