[Dshield] Password protected Bagle.F

Al Reust areust at comcast.net
Thu Mar 4 00:59:06 GMT 2004

The other part is that as I got home today. The wife tells me that she has 
been fighting variations all day. In her particular case it seems that they 
have directed email directly at the server IP bypassing the virus catcher. 
Comparing the log files and with what was stated in the Antivirus machine 
the could see the legit email and noticed that the infected email had not 
been checked!

So at least for the first in the "message body" part they are doing 
$DomainName, $UserName etc replacements in a targeted mail merge format.

The MTA now rejects All Zip files. Fortunately they are not dependent on 
receiving information that might be Zip'd


At 10:24 AM 3/3/2004 -0500, you wrote:
>That's nothing.  I thought this one was real good.  I got it last night. 
>It probably got half of all the users at my ISP, if I wasn't the only one 
>to get it.  Of course it didn't come from them, but imagine if every ISP's 
>user got a variant of this.  One of the passworded zip viruses was 
>attached with it.  My query to the group is was the Return-Path spoofed on 
>From: - Wed Mar 03 02:41:43 2004
>X-UIDL: 404559c70000002e
>X-Mozilla-Status: 0001
>X-Mozilla-Status2: 00000000
>Return-Path: <Medleymichealmedley at sbcglobal.net>
>Received: from psmtp.com (exprod6mx34.postini.com [])    by 
>localhost.localdomain (8.12.8/8.12.8) with SMTP id i234L9JC006203    for 
><superc at visuallink.com>; Tue, 2 Mar 2004 23:21:09 -0500
>Received: from source ([]) by exprod6mx34.postini.com 
>([]) with SMTP;    Tue, 02 Mar 2004 20:33:55 PST
>Date: Tue, 02 Mar 2004 22:35:08 -0600
>To: superc at visuallink.com
>Subject: Notify about your e-mail account utilization.
>From: staff at visuallink.com
>Message-ID: <mbspvtfshyupedsdkhn at visuallink.com>
>MIME-Version: 1.0
>Content-Type: multipart/mixed;        boundary="--------sxwcqsvslspviatkxrug"
>Status: O
>Dear user  of "Visuallink.com" mailing system,
>Some  of our clients complained about the spam (negative e-mail content)
>outgoing from your e-mail  account. Probably,  you  have been infected by
>a proxy-relay trojan server. In order to keep your computer safe,
>follow the  instructions.
>For details see the attach.
>Attached file protected with the password  for security reasons.  Password 
>is  01747.
>The Management,
>      The Visuallink.com team http://www.visuallink.com
>Subject: Re: [Dshield] Password protected Bagle.F
>From: Al Reust <areust at comcast.net>
>Date: Tue, 02 Mar 2004 18:49:24 -0800
>To: General DShield Discussion List <list at dshield.org>
>They are getting smarter at Social Engineering. This is hardline.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list