[Dshield] Password protected Bagle.F
areust at comcast.net
Thu Mar 4 00:59:06 GMT 2004
The other part is that as I got home today. The wife tells me that she has
been fighting variations all day. In her particular case it seems that they
have directed email directly at the server IP bypassing the virus catcher.
Comparing the log files and with what was stated in the Antivirus machine
the could see the legit email and noticed that the infected email had not
So at least for the first in the "message body" part they are doing
$DomainName, $UserName etc replacements in a targeted mail merge format.
The MTA now rejects All Zip files. Fortunately they are not dependent on
receiving information that might be Zip'd
At 10:24 AM 3/3/2004 -0500, you wrote:
>That's nothing. I thought this one was real good. I got it last night.
>It probably got half of all the users at my ISP, if I wasn't the only one
>to get it. Of course it didn't come from them, but imagine if every ISP's
>user got a variant of this. One of the passworded zip viruses was
>attached with it. My query to the group is was the Return-Path spoofed on
>From: - Wed Mar 03 02:41:43 2004
>Return-Path: <Medleymichealmedley at sbcglobal.net>
>Received: from psmtp.com (exprod6mx34.postini.com [126.96.36.199]) by
>localhost.localdomain (8.12.8/8.12.8) with SMTP id i234L9JC006203 for
><superc at visuallink.com>; Tue, 2 Mar 2004 23:21:09 -0500
>Received: from source ([188.8.131.52]) by exprod6mx34.postini.com
>([184.108.40.206]) with SMTP; Tue, 02 Mar 2004 20:33:55 PST
>Date: Tue, 02 Mar 2004 22:35:08 -0600
>To: superc at visuallink.com
>Subject: Notify about your e-mail account utilization.
>From: staff at visuallink.com
>Message-ID: <mbspvtfshyupedsdkhn at visuallink.com>
>Content-Type: multipart/mixed; boundary="--------sxwcqsvslspviatkxrug"
>Dear user of "Visuallink.com" mailing system,
>Some of our clients complained about the spam (negative e-mail content)
>outgoing from your e-mail account. Probably, you have been infected by
>a proxy-relay trojan server. In order to keep your computer safe,
>follow the instructions.
>For details see the attach.
>Attached file protected with the password for security reasons. Password
> The Visuallink.com team http://www.visuallink.com
>Subject: Re: [Dshield] Password protected Bagle.F
>From: Al Reust <areust at comcast.net>
>Date: Tue, 02 Mar 2004 18:49:24 -0800
>To: General DShield Discussion List <list at dshield.org>
>They are getting smarter at Social Engineering. This is hardline.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see:
More information about the list