Re: Fwd: YOUR PAYPAL.COM ACCOUNT EXPIRES

[Larry Hand <lhand () co la ca us>]

On Thursday 13 November 2003 04:43 pm, Larry Hand wrote:
> Anyone else seeing this? It comes with an attachment Paypal.asp.scr. 
> Anyone know what it is? It sure looks suspicious.

And a bunch of people answered! Thanks to you all.

Thanks for the links. I expect it's that MiMail trojan. It's rare that a 
virus gets through the filters here. Apparently it's a new variant which 
slipped in before the newest AV signature updates were installed. Since NAI 
didn't find out about it until today, I guess that's reasonable :-)

As for the yahoo involvement, my headers (I should have included the full 
headers the first time, oops, my bad.) were:

> From donotreply () paypal com Fri Nov 14 00:29:00 2003
Received: from 62.42.15.89 [62.42.15.89] by co.la.ca.us
  (SMTPD32-6.06) id A23C519B00DE; Thu, 13 Nov 2003 16:30:52 -0800
Date: Fri, 14 Nov 2003 03:29:00 -0500
From: PayPal.com <donotreply () paypal com>
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
Reply-To: donotreply () paypal com
Organization: None
X-Priority: 1 (High)
To: lhand () co la ca us
Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----------716A2B1C01688342"
Message-Id: <200311131630671.SM00134@62.42.15.89>
X-RCPT-TO: <lhand () co la ca us>
X-UIDL: 294245102
Status: R 
X-Status: N

The author did a pretty good job of hiding his tracks. Only the IP address 
(VA1-1D-u-0856.mc.onolab.com. apparently from spain) and the fact that it was 
sent by Outlook Express gives a hint that it didn't really come from paypal.

A few people asked for the file. I've attached it as suggested: zipped and 
encrypted with "infected" as the password.

Thanks again for all the help.

Attachment: paypal.zip
Description: paypal attachment