Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Looks like a duck...quacks like a duck...

From: "Jay D. Dyson" <jdyson () TREACHERY NET>
Date: Mon, 27 Nov 2000 20:45:35 -0800
-----BEGIN PGP SIGNED MESSAGE-----

Hi folks,

        I figured I'd pass this along for consideration and review.  The
following was received at a staff distribution address at another site.
While I haven't confirmed this is a genuine Outlook trojan/worm, it has
all the markings of such.  Namely:

        1.      The message was unsolicited

        2.      Tell-tale generic subject and body

        3.      Microsoft executable payload; the payload (wishyou.zip)
                contains Music.exe.  Interested parties can snag a copy of
                the binary at http://www.treachery.net/~jdyson/wishyou.zip

        4.      Sender was using Microsoft Outlook Express (which is
                notoriously vulnerable to this sort of thing)

        A cursory review of the binary indicated that the executable calls
wininet.dll.  Doubtful that a music player needs to initiate a connection
to the internet (all wisecracks about RealPlayer mercifully set aside).

        Here's the sanitized headers:

- -----BEGIN FORWARDED MESSAGE-----

Return-Path: <staff () recipient site>
Received: from localhost (bob () sender site [XXX.XXX.XXX.XXX])
        by recipient.site (8.9.3/3.8.9) with SMTP id VAA21707
        for <staff () recipient site>; Mon, 27 Nov 2000 21:10:42 -0700
Message-Id: <200011280410.VAA21707 () recipient site>
From: "Mailing Server" <>
To: "Mailing list" <>
Subject: Test mail
Date: Mon, 27 Nov 2000 19:24:23 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="--------"
X-Mailer: Microsoft Outlook Express 4.0

Hi, just verifying email, enjoy the attached file.

- ----- END FORWARDED MESSAGE -----

- -Jay

   (                                                             ______
   ))   .-- "There's always time for a good cup of coffee." --.   >===<--.
 C|~~| (>------- Jay D. Dyson --- jdyson () treachery net -------<) |   = |-'
  `--'  `- I'm not surrounded, I just have more targets now. -'  `-----'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: E-mail me for my PGP Public Key.

iQCVAwUBOiM4c9CClfiU/BIVAQHwWgP/VAhU1V0o44ddiT68Wl9ymVbq3ao1Ewq3
Pp1aS45dE/l+EuGVka1pWQIjDs6XGtNRsVsK0rFtD2z4iApr4Yf50lngJrtAMAne
6K/AUMNDOIucY33je7nE/07ZGyVo9d3hSiZqB2Hyeg0YZTvOG0RMy3RQm2gQ+P2Z
ppGml4D3eec=
=hbc8
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: