[Dshield] Password protected Bagle.F

Brian Dessent brian at dessent.net
Mon Mar 1 23:22:57 GMT 2004


"Jon R. Kibler" wrote:

> According to a thread on the ClamAV users lists, Bagle.F is now
> spreading via password protected zip file. The text body of the
> email contains the password.

Saw one of these today... the body looked like:

> ----------knexutdhtqiwajhjbcyf
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> 
> Argh, i don't like the plaintext :)
> password for archive: 35730
> 
> ----------knexutdhtqiwajhjbcyf
> Content-Type: application/octet-stream; name="Mandy.zip"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="Mandy.zip"
> 
> UEsDBAoAAQAAAKBZYTBxj6nUaVkAAF1ZAAALAAAAcmViZWNjYS5leGVIZCdMfRWVXvX5bolR
> 1K6wNeL3UlbfaFPvb6MeejcZ/J/8mU513Wo/dDOqZwhxbkmjc93yYr8yxY+50HZPR7FvhI1L
> ... [and so on]

another one looked like this:

> ----------xuhsskfamnoflsqmjcme
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> 
> If you are going to make me cry, at least be there to wipe away the tears *Right now the worst thing for you to tell me that I can find someone better than   you, especially when you are all I want
> password: 12452
> 
> ----------xuhsskfamnoflsqmjcme
> Content-Type: application/octet-stream; name="Jammie.zip"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="Jammie.zip"
> 
> UEsDBAoAAQAAAMCAYTAjq7qxc1gAAGdYAAANAAAATWFyeS1Bbm5lLmV4ZajHt6aTAKvZfLh1
> BSv5udCpPfX4B5zSXNbZcYPKFA+0gOuJLv+Fwa1bc10+HuwKOXxfGUKVj+rTCY3fh4hIInpA




More information about the list mailing list