PDA

View Full Version : japanese lass' sexy pictures (virus)



John Lindsey
13th May 2002, 00:21
I have received a complaint from a member that another member had purposely sent him Japanese porno and a virus. He claims it came from the "Southern Alliance" which I think is linked to Manny Salazar, Mike Mitchell, and Antonio Bustillo.

I too have received this same message and virus. It does not appear that these people did this on purpose. Please read the following:

This W32/Klez variant has the ability to spoof the email FROM: field. The senders address used by the virus, may be one that was found on the infected user's system. Thus, it may appear that you have received this virus from one person, when it was actually sent from a different user's system. Viewing the entire email header will display the actual senders address.

This worm makes use of Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2)

This worm arrives in an Email message with a subject and body randomly composed from a rather long pool of strings that the virus carries inside itself (the virus can also add other strings):

"Hi, Hello, Re: Fw: Undeliverable mail-- Returned mail-- game a tool a website new funny nice humour excite good powful WinXP IE 6.0 W32.Elkern W32.Klez how are you let's be friends darling don't drink too much your password honey some questions please try again welcome to my hometown the Garden of Eden introduction on ADSL meeting notice question naire congratulations sos! japanese girl VS playboy look, my beautiful girlfriend eager to see you spice girls' vocal concert japanese lass' sexy pictures Symantec Mcafee F-Secure Sophos The following mail can't be sent to The attachment The file is the original mail give you the is a dangerous virus that can infect on Win98/Me/2000/XP. spread through email. very special For more information,please visit This is I you would it. enjoy like wish hope expect Christmas New year Saint Valentine's Day Allhallowmas April Fools' Day Lady Day Assumption Candlemas All Souls'Day Epiphany Happy Have a"

In our experiments we have, for example, observed the following Subject lines (more common at the top):

Subject: Document End
Subject: Happy Lady Day
Subject: From
Subject: Eager to see you
Subject: Returned mail--"Document End "
Subject: HEIGHT
Subject: A WinXP patch
Subject: Hi,spice girls' vocal concert
Subject: Happy nice Lady Day
Subject: Have a humour Lady Day
Subject: Happy good Lady Day
Subject: ALIGN
Subject: Have a good Lady Day
Subject: Undeliverable mail--"IIS services with this Web administration tool."
(the virus can also send mails with empty Subject and/or body)

John Lindsey
13th May 2002, 21:16
Here is an example. It was an email that looks like I got it from Robert Rousselot, but of course he did not send it, the virus did:

Received: from rwcrmhc53.attbi.com ([204.127.198.39]) by MERCURY.dslworld.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55)
id K19C3GKK; Sat, 4 May 2002 21:56:12 -0500
Received: from Uwioba ([66.176.248.160]) by rwcrmhc53.attbi.com
(InterMail vM.4.01.03.27 201-229-121-127-20010626) with SMTP
id <20020505025606.MTHA5896.rwcrmhc53.attbi.com@Uwioba>
for <JLindsey@xxxx.com>; Sun, 5 May 2002 02:56:06 +0000
From: robertrousselot <robertrousselot@hotmail.com>
To: JLindsey@xxxx.com
Subject: A special good tool
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=VjJ5SE6RV04R42F894569WVZr5w
Message-Id: <20020505025606.MTHA5896.rwcrmhc53.attbi.com@Uwioba>
Date: Sun, 5 May 2002 02:56:13 +0000

--VjJ5SE6RV04R42F894569WVZr5w
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

--VjJ5SE6RV04R42F894569WVZr5w
Content-Type: application/octet-stream;
name=face.exe
Content-Transfer-Encoding: base64
Content-ID: <W36p04O75>

--VjJ5SE6RV04R42F894569WVZr5w
--VjJ5SE6RV04R42F894569WVZr5w
Content-Type: application/octet-stream;
name=goju-kai1[1].htm
Content-Transfer-Encoding: base64
Content-ID: <W36p04O75>

--VjJ5SE6RV04R42F894569WVZr5w--

John Lindsey
13th May 2002, 21:19
Here is another one I got in early May that shows the "Japanese lass' sexy pictures title.


Received: from rwcrmhc53.attbi.com ([204.127.198.39]) by MERCURY.dslworld.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55)
id K19C3KLH; Thu, 9 May 2002 21:35:38 -0500
Received: from Dape ([66.176.248.160]) by rwcrmhc53.attbi.com
(InterMail vM.4.01.03.27 201-229-121-127-20010626) with SMTP
id <20020510023535.LFXS22408.rwcrmhc53.attbi.com@Dape>
for <JLindsey@xxxxx.com>; Fri, 10 May 2002 02:35:35 +0000
From: yachtmd <yachtmd@yahoo.com>
To: JLindsey@xxxx.com
Subject: Japanese lass' sexy pictures
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Q51Gkh9r0zC3396F5w1980XY59gcq41zfK8c
Message-Id: <20020510023535.LFXS22408.rwcrmhc53.attbi.com@Dape>
Date: Fri, 10 May 2002 02:35:40 +0000

--Q51Gkh9r0zC3396F5w1980XY59gcq41zfK8c
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

--Q51Gkh9r0zC3396F5w1980XY59gcq41zfK8c
Content-Type: audio/x-wav;
name=goju-kai1[1].bat
Content-Transfer-Encoding: base64
Content-ID: <H311Ao62089f367ci>

--Q51Gkh9r0zC3396F5w1980XY59gcq41zfK8c
--Q51Gkh9r0zC3396F5w1980XY59gcq41zfK8c
Content-Type: application/octet-stream;
name=goju-kai1[1].htm
Content-Transfer-Encoding: base64
Content-ID: <H311Ao62089f367ci>

--Q51Gkh9r0zC3396F5w1980XY59gcq41zfK8c--