[Dshield] New or Maybe old trojan attempt

Kenneth Williams ken at kwilliams.org
Wed Mar 3 17:49:02 GMT 2004


I just recieved this interesting email claiming to be from my mail
administrator. Since I am my own adminmistrator and I know I didn't send it
it prompted me to examine the bogus message. Note the message attachment is
a pif file and the return path is to intrusions-unsubscribe at
incidents.org. I have not yet examined the pif called Attach.pif. The
message minus the pif is as follows.
Ken Williams

Return-Path: <intrusions-unsubscribe at incidents.org>
Received: from rtnmc51 (external-ao.netsolve.com [66.187.216.11])
 by mail.kwilliams.org (8.12.9/8.12.9) with SMTP id i23GJscB021746
 for <ken at kwilliams.org>; Wed, 3 Mar 2004 08:19:59 -0800
Date: Wed, 03 Mar 2004 10:19:44 -0600
To: ken at kwilliams.org
Subject: Important notify about your e-mail account.
From: administration at kwilliams.org
Message-ID: <tvfljmjawuydqpchkxl at kwilliams.org>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="--------vecjcifcydnddnmfgcrr"
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
 mail.kwilliams.org
X-Spam-Level:
X-Spam-Status: No, hits=-4.7 required=5.0 tests=BAYES_00,NO_REAL_NAME
 autolearn=no version=2.60
Status:

----------vecjcifcydnddnmfgcrr
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Dear user  of  e-mail  server "Kwilliams.org",

Some of  our  clients complained about the spam (negative  e-mail content)
outgoing from your e-mail account. Probably, you have been  infected by
a proxy-relay trojan server. In order to keep your computer safe,
follow the  instructions.

For  details see  the attach.

Have  a good day,
    The Kwilliams.org team                    http://www.kwilliams.org




More information about the list mailing list