|
|
|
|
|
|
| Author |
Message |
Erwin Hoffmann
*nix forums addict
Joined: 24 Jan 2005
Posts: 71
|
 Posted: Thu Jan 27, 2005 8:50 pm Post subject:
[FYI] Virus from qmail@list.cr.yp.to (faked)
|
|
|
Hi,
seems, that some guys use the a faked SMTP Return-Path address
"qmail@list.cr.yp.to" to spread virii.
Here's the first piece of the message:
Received: (qmail 24802 invoked from network); 27 Jan 2005 11:41:16 -0000
Received: from rasbtnlchn074.184.145.203.touchtelindia.net (HELO
gateway.com) (203.145.184.74)
by hamburg134 with SMTP; 27 Jan 2005 11:41:16 -0000
Date: Thu, 27 Jan 2005 17:15:10 -0800
To: "Feh" <feh@fehcom.de>
From: "Qmail" <qmail@list.cr.yp.to>
Subject: Delivery by mail
Message-ID: <ukkbecsopsvkenswhxc@fehcom.de>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------shhqdgmwmkxslifehsla"
----------shhqdgmwmkxslifehsla
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit
<html><body>
Before use read the help
<br>
</body></html>
----------shhqdgmwmkxslifehsla
Content-Type: application/octet-stream; name="upd02.com"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="upd02.com"
TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAAAAC0TM0hAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAQAAAAFBFAABMAQUAAAAAAAAAAAAAAAAA4AAPAQsBAAAAOgAAAEoAAAAAAAAAoAAA
ABAAAABQAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAnPMAAAACAAAAAAAAAgAAAAAA
Clamscan (0.72) doesn't detect it !
SPAMCONTROL users should add:
badmimetpyes: TVoAAAEAA
badloadertypes: MyLkR
The badmimetypes should also work for Russel's patch.
Users of qmvc are safe (by design) if they use the badmimetype and/or
badloadertype mechanism.
regards.
--eh.
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/
Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24 |
|
| Back to top |
|
 |
Jason Frisvold
*nix forums beginner
Joined: 27 Jan 2005
Posts: 44
|
| Posted: Thu Jan 27, 2005 8:50 pm Post subject:
Re: [FYI] Virus from qmail@list.cr.yp.to (faked)
|
|
|
On Thu, 27 Jan 2005 21:50:04 +0000, Erwin Hoffmann <feh@fehcom.de> wrote:
| Quote: | Clamscan (0.72) doesn't detect it !
|
0.72 is very old.. Have you tried 0.80?
| Quote: | regards.
--eh.
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/
Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24
|
--
Jason 'XenoPhage' Frisvold
XenoPhage0@gmail.com |
|
| Back to top |
|
|
Niek
*nix forums addict
Joined: 23 Jan 2005
Posts: 92
|
| Posted: Thu Jan 27, 2005 8:50 pm Post subject:
Re: [FYI] Virus from qmail@list.cr.yp.to (faked)
|
|
|
On 1/27/2005 9:57 PM +0100, Jason Frisvold wrote:
| Quote: | On Thu, 27 Jan 2005 21:50:04 +0000, Erwin Hoffmann <feh@fehcom.de> wrote:
Clamscan (0.72) doesn't detect it !
0.72 is very old.. Have you tried 0.80?
0.80 is very old, have you tried 0.81 (released 24h ago)  |
@Erwin: Worms gather email addresses (which are used for the From: and
To: field) from the infected machine.
Niek
--
Use plain text: http://www.geoapps.com/nomime.shtml
Learn to quote: http://www.netmeister.org/news/learn2quote2.html
Avoid disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Sat Jan 10, 2009 4:53 am | All times are GMT
|
|
Blair Coupons | Looking for Credit Cards? | Problem Mortgage | Credit Card Consolidation | Credit Cards
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
Apps
»
Qmail
