Re: ICQ Users a target Again!

[claymore <claymore () ADELPHIA NET>]

Yes, this appears to be a version of Hybris. Of course, without actually
seeing it I cannot be certain, but it fits the pattern.

Random 8 Character attachment name with no subject or message body.

Check your favorite AV vendor for "Hybris"

Claymore
the unprofound

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Lee Hetherington
Sent: Wednesday, March 28, 2001 3:31 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: ICQ Users a target Again!


Hi Guys,

I got an email today when I arrived at work which seemed to originate from
the MAILER-DAEMON account on one of our machines running Sendmail.  The
message had no body but had one attatchment. The file LEOKIALE.EXE is 23Kb
in Size and Hasnt been opened...

It was to a personal address of my own which is only used in ICQ...

Message Headers:-

Return-Path: <root () ns1 asphost net>
Received: (from root@localhost)
        by XXX.asphost.net (8.11.0/8.8.7) id f2RGNGL32025
        for lee () asphost net; Tue, 27 Mar 2001 17:23:16 +0100
Received: from isis.hol.gr (isis.hol.gr [194.30.192.21])
        by XXX.asphost.net (8.11.0/8.8.7) with SMTP id f2RGLeZ32019
        for <xxxxxx () kerfuffle net>; Tue, 27 Mar 2001 17:21:40 +0100
Date: Tue, 27 Mar 2001 17:21:40 +0100
From: MAILER-DAEMON () ns1 asphost net
Message-Id: <200103271621.f2RGLeZ32019 () ns1 asphost net>
Received: (qmail 6678 invoked from network); 27 Mar 2001 16:08:03 -0000
Received: from vdp201.ath02.cas.hol.gr (HELO r8f9e9) (195.97.117.202)
  by isis.hol.gr with SMTP; 27 Mar 2001 16:08:03 -0000
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VE27O9EV0H27012FOLUR"
Status:


Anyone else seen this?

Lee


Lee Hetherington
Production Network Engineer
Grey Matter Advanced Marketing Limited

T: +44 1242 237600 DL: +44 1242 246139 F: +44 1242 237633 W:
greymatterltd.com
Suite 4, Fairview Court, Fairview Road. Cheltenham, Gloucestershire GL52 2EX
UK