Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: properties in e-mail from sexyfun
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: properties in e-mail from sexyfun
  • From: Digital Overdrive <[EMAIL PROTECTED]>
  • Date: Sat, 13 Jan 2001 20:34:33 +0100
  • In-reply-to: <[EMAIL PROTECTED]>
.
 
Hello Kelly Reid and group,

Kelly Reid wrote:
>
> Following is the properties from the email from sexyfun.  I'm interested
> in knowing who this came from so that they can get their machine scanned.
>
> Any help would be appreciated
> [snap]

A few days ago I send an abuse message to [EMAIL PROTECTED]
Apperently they have made a page because of the virus.

"We have setup a web site ( http://www.sexyfun.net/ ) that
contains information about this SPAM / Virus with helpful
links to other sites."

=----------=
	Mail I got back, including headers
=----------=

Message-ID: <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
        id 14Fzpd-00031G-00
        for [EMAIL PROTECTED]; Tue, 09 Jan 2001 14:33:01 +0000
Received: from localhost ([EMAIL PROTECTED])
        by nullspace.neonova.net (8.9.3/8.9.3) with ESMTP id JAA28169
        for <[EMAIL PROTECTED]>; Tue, 9 Jan 2001 09:46:19 -0500
Date: Tue, 9 Jan 2001 09:46:19 -0500 (EST)
From: Gary Moe <[EMAIL PROTECTED]>
To: Digital Overdrive <[EMAIL PROTECTED]>
Subject: Re: Spam Report (Virus)
In-Reply-To: <[EMAIL PROTECTED]>
Message-ID:
<[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Mozilla-Status: 8011
X-Mozilla-Status2: 00000000
X-UIDL: 7b2b37c6a22aca0de657edafc855b67e

Overdrive,

Here is a copy of a form letter we have been using to inform people
about
this email / SPAM / Virus that everyone is getting. If you have any
other
questions about this after you read and visit the URLs in the form
letter please feel free to write me back.. Thanks..

======= Start of form letter =======

==== THIS IS NOT A MAILING LIST OR A REAL USER THAT SENT ====
==== THE SPAM THAT CLAIMS TO BE FROM: [EMAIL PROTECTED] ====
/ faked From: fields.

http://www.f-secure.com/v-descs/hybris.shtml

   The person who is responsible for this SPAM / Virus
spoofed the email address at the sexyfun.net domain. The
owner of the sexyfun.net domain is NOT affiliated with
this person, this also go for slowmoe.com which is hosting
web site that contains information about the SPAM / Virus
as well as neonova.net whos DNS server host the domain
sexyfun.net.

   Once again sexyfun.net, slowmoe.com and neonova.net are
NOT affiliated to the SPAM / Virus that contains the email
address of [EMAIL PROTECTED] (This is a spoofed email header).
sexyfun.net, slowmoe.com and neonova.net ARE providing
information about this SPAM / Virus in the from of a web site
found at http://www.sexyfun.net/ to help people that are
running into it.

========= End of form letter =========

-Gary
=====
NeoNova Network Services
Network / System Operations
[EMAIL PROTECTED]


On Tue, 9 Jan 2001, Digital Overdrive wrote:

> Dear abusedesks,
>
> Please contact this person whois abusing your
> Internet services by spamming and sending virii (dwarf4you.exe)
>
> Special note for [EMAIL PROTECTED] :

[snapt a telnetsession]

> (where is [EMAIL PROTECTED] ?)
>
> I have included the /complete/ messagesource which means the attachment
> too.
> ** Be carefull !! This is a virus !! **

[I didn't send the whole source]
[just a small part of it]

> =----------=
> Message source
> =----------=
>
> X-POP3-Rcpt: [EMAIL PROTECTED]
> Return-path: <>
> Envelope-to: [EMAIL PROTECTED]
> Delivery-date: Tue, 09 Jan 2001 09:52:59 +0000
> Received: from [203.25.70.148] (helo=charlton)
>         by bravo.whitburn.xcalibre.co.uk with smtp (Exim 3.15 #1)
>         id 14FvSS-0000Yh-00
>         for [EMAIL PROTECTED]; Tue, 09 Jan 2001 09:52:49 +0000
> From: Hahaha <[EMAIL PROTECTED]>
> Subject: Snowhite and the Seven Dwarfs - The REAL story!
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="--VEW5E3KDIRK5I7CPEVO5A745QRWH2RCPMBCL"
> Message-Id: <[EMAIL PROTECTED]>
> Bcc:
> Date: Tue, 09 Jan 2001 09:52:49 +0000
> X-Mozilla-Status: 8001
> X-Mozilla-Status2: 00000000
> X-UIDL: cb4dcd83d7b79bbd07a39fe4f0e3cd5a
>
> ----VEW5E3KDIRK5I7CPEVO5A745QRWH2RCPMBCL
> Content-Type: text/plain; charset="us-ascii"
>
> Today, Snowhite was turning 18. The 7 Dwarfs always where very educated
> and
> polite with Snowhite. When they go out work at mornign, they promissed a
> *huge* surprise. Snowhite was anxious. Suddlently, the door open, and
> the Seven
> Dwarfs enter...
>
>
> ----VEW5E3KDIRK5I7CPEVO5A745QRWH2RCPMBCL
> Content-Type: application/octet-stream; name="dwarf4you.exe"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="dwarf4you.exe"

[snapt some attachment-source]

> I hope proper actions agains this person will be taken and please
> keep me posted about it.
>
> More information about this virus :
> http://vil.mcafee.com/dispVirus.asp?virus_k=98873&;
>
> Kind regards,
>
> J. Reilink
> [EMAIL PROTECTED] / [EMAIL PROTECTED]

=----------=
	End of message
=----------=

McAfee link for information :
http://vil.mcafee.com/dispVirus.asp?virus_k=98873&;

Hope this informs you enough.

Regards,

Jan (Digital Overdrive)

--
 .~.   Dutch Security Information Network : http://www.dsinet.org
 /V\   news:alt.hack.nl FAQ : http://www.dsinet.org/hackfaq
/( )\  [EMAIL PROTECTED] / [EMAIL PROTECTED]
^^-^^                      "Microsoft: We make virii work!"
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.