Security Incidents mailing list archives
Looks like a duck...quacks like a duck...
From: "Jay D. Dyson" <jdyson () TREACHERY NET>
Date: Mon, 27 Nov 2000 20:45:35 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hi folks, I figured I'd pass this along for consideration and review. The following was received at a staff distribution address at another site. While I haven't confirmed this is a genuine Outlook trojan/worm, it has all the markings of such. Namely: 1. The message was unsolicited 2. Tell-tale generic subject and body 3. Microsoft executable payload; the payload (wishyou.zip) contains Music.exe. Interested parties can snag a copy of the binary at http://www.treachery.net/~jdyson/wishyou.zip 4. Sender was using Microsoft Outlook Express (which is notoriously vulnerable to this sort of thing) A cursory review of the binary indicated that the executable calls wininet.dll. Doubtful that a music player needs to initiate a connection to the internet (all wisecracks about RealPlayer mercifully set aside). Here's the sanitized headers: - -----BEGIN FORWARDED MESSAGE----- Return-Path: <staff () recipient site> Received: from localhost (bob () sender site [XXX.XXX.XXX.XXX]) by recipient.site (8.9.3/3.8.9) with SMTP id VAA21707 for <staff () recipient site>; Mon, 27 Nov 2000 21:10:42 -0700 Message-Id: <200011280410.VAA21707 () recipient site> From: "Mailing Server" <> To: "Mailing list" <> Subject: Test mail Date: Mon, 27 Nov 2000 19:24:23 -0500 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------" X-Mailer: Microsoft Outlook Express 4.0 Hi, just verifying email, enjoy the attached file. - ----- END FORWARDED MESSAGE ----- - -Jay ( ______ )) .-- "There's always time for a good cup of coffee." --. >===<--. C|~~| (>------- Jay D. Dyson --- jdyson () treachery net -------<) | = |-' `--' `- I'm not surrounded, I just have more targets now. -' `-----' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: E-mail me for my PGP Public Key. iQCVAwUBOiM4c9CClfiU/BIVAQHwWgP/VAhU1V0o44ddiT68Wl9ymVbq3ao1Ewq3 Pp1aS45dE/l+EuGVka1pWQIjDs6XGtNRsVsK0rFtD2z4iApr4Yf50lngJrtAMAne 6K/AUMNDOIucY33je7nE/07ZGyVo9d3hSiZqB2Hyeg0YZTvOG0RMy3RQm2gQ+P2Z ppGml4D3eec= =hbc8 -----END PGP SIGNATURE-----
Current thread:
- Looks like a duck...quacks like a duck... Jay D. Dyson (Nov 29)
- Re: Looks like a duck...quacks like a duck... Brad Griffin (Nov 30)