[Dshield] Password protected Bagle.F

Kenneth Coney superc at visuallink.com
Wed Mar 3 15:24:19 GMT 2004

That's nothing.  I thought this one was real good.  I got it last night. 
It probably got half of all the users at my ISP, if I wasn't the only one 
to get it.  Of course it didn't come from them, but imagine if every ISP's 
user got a variant of this.  One of the passworded zip viruses was attached 
with it.  My query to the group is was the Return-Path spoofed on these?
From: - Wed Mar 03 02:41:43 2004
X-UIDL: 404559c70000002e
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <Medleymichealmedley at sbcglobal.net>
Received: from psmtp.com (exprod6mx34.postini.com [])    by 
localhost.localdomain (8.12.8/8.12.8) with SMTP id i234L9JC006203    for 
<superc at visuallink.com>; Tue, 2 Mar 2004 23:21:09 -0500
Received: from source ([]) by exprod6mx34.postini.com 
([]) with SMTP;    Tue, 02 Mar 2004 20:33:55 PST
Date: Tue, 02 Mar 2004 22:35:08 -0600
To: superc at visuallink.com
Subject: Notify about your e-mail account utilization.
From: staff at visuallink.com
Message-ID: <mbspvtfshyupedsdkhn at visuallink.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;        boundary="--------sxwcqsvslspviatkxrug"
Status: O

Dear user  of "Visuallink.com" mailing system,

Some  of our clients complained about the spam (negative e-mail content)
outgoing from your e-mail  account. Probably,  you  have been infected by
a proxy-relay trojan server. In order to keep your computer safe,
follow the  instructions.

For details see the attach.

Attached file protected with the password  for security reasons.  Password 
is  01747.

The Management,
      The Visuallink.com team http://www.visuallink.com
Subject: Re: [Dshield] Password protected Bagle.F
From: Al Reust <areust at comcast.net>
Date: Tue, 02 Mar 2004 18:49:24 -0800
To: General DShield Discussion List <list at dshield.org>

They are getting smarter at Social Engineering. This is hardline.

More information about the list mailing list