Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bagle.j out

From: Marty Hoag <Marty.Hoag () NDSU NODAK EDU>
Date: Tue, 2 Mar 2004 17:40:21 -0600
   The thing I found so chilling was how convincing the
e-mail message was. It used the domain name in the body
of the text, etc. It almost had me fooled and I was so
proud of the non-IT person who was suspicious. Luckily
she worked in the "xyzcenter.org" and knew this didn't
look right.

   I'll try pasting it in here but change the domain to
protect the innocent. I've also reflowed the lines
since they got wrapped funny when I pasted it in.
I thought it was especially thorough to include a
web address to match the user's domain.

   By the way, McAfee seems to have an extra.dat
now at http://vil.nai.com/vil/content/v_101071.htm .
There are other messages too of course.

   Marty

--- Sample believed to be Bagle.j (folded to fit) ---

From: support () xyzcenter org [mailto:support () xyzcenter org]
Sent: Tuesday, March 02, 2004 4:11 PM
To: info () xyzcenter org
Subject: Warning about your e-mail account.

Dear user, the management of Xyzcenter.org  mailing system
wants to let you know that,

Some of our  clients  complained about the spam (negative
e-mail content) outgoing from your e-mail account.  Probably,
you have been infected by a proxy-relay trojan server. In
order  to  keep your computer safe, follow the instructions.

For further details see the attach.

In  order to  read the attach you have to  use the  following password:
00740.

The Management,
   The Xyzcenter.org team          http://www.xyzcenter.org
---

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: