Full Disclosure mailing list archives

Re: new worm traveling the net? (GNU/Linux)

From: Przemyslaw Frasunek <venglin () freebsd lublin pl>
Date: Tue, 20 Feb 2007 10:06:59 +0100

Timo Schoeler napisał(a):

a friend of mine contacted me because he saw lots of emails (60) to
catchthismail () domain tld starting at about 5:00 am (US east coast
time).


Indeed, I've started receiving it yesterday at 10:00 am (CET) and it stopped at
08:00 pm. To: header contained catchthismail () domain tld and
helloitmenice () domain tld with almost all domains hosted at my site.

There were about 130 such mails, all of them with following body:

========================
Hi
How are you ? Call me.
and marketing pitches
Poor you, i don't even think how much spam you are recive.
at the group's
6D7174796A6E6A6B667A6A33746A716E72736845777873706872
========================

The third and fifth line contains random words. The last one is hexadecimally
encoded ASCII string, also random.

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE *
* Jabber ID: venglin () czuby pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

new worm traveling the net? (GNU/Linux) Timo Schoeler (Feb 19)
- Re: new worm traveling the net? (GNU/Linux) Michal Zalewski (Feb 19)
  - Re: new worm traveling the net? (GNU/Linux) Timo Schoeler (Feb 19)
  - Re: new worm traveling the net? (GNU/Linux) Timo Schoeler (Feb 19)
- Re: new worm traveling the net? (GNU/Linux) Przemyslaw Frasunek (Feb 20)