Discussion:
E-mail Spoofing on yahoogroups
Archis Gore
2006-01-25 11:38:30 UTC
Permalink
Dear BLUGies,

I just had 4 mails bounce off of bcslug that I
never sent saying that it does not allow attachments.
A bunch of jpegs seem to be attached to them. Does
anyone know how we might counter this issue? If anyone
notices such behaviour, can they just announce on the
list? Just so we know how far it's spread. We all know
Sriram's had been spoofed. Anyone else out there?
Moreover, the subjects of the threads of my previous
post were maintained to make it look legitimate.

Yours sincerely,
Archis


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com



Yahoo! Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/bcslug/

<*> To unsubscribe from this group, send an email to:
bcslug-***@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
tejash shah
2006-01-27 06:27:10 UTC
Permalink
Hi

This is done by the virus i m sending description of the virus plz. refer to
that...


[image: F-Secure Logo - Be Sure] <http://www.f-secure.com/>
Global Sites Global Finland Sweden Germany France Italy Japan
[image: Japanese] <http://www.f-secure.co.jp/>
<http://www.f-secure.com/>
Products
Security Info
How to Buy
Downloads
Support
News
About Us
Partners

F-Secure Virus Information Pages : VB.bi

<http://www.f-secure.com/products/radar/>
[Summary<http://www.f-secure.com/v-descs/vb_bi.shtml#summary>]
| [Detailed Description<http://www.f-secure.com/v-descs/vb_bi.shtml#details>]


Name: <http://www.f-secure.com/v-descs/info/name.shtml>*VB.bi*
Alias:<http://www.f-secure.com/v-descs/info/alias.shtml>
Email-Worm.Win32.Nyxem.e, ***@mm, W32/Nyxem-D,
Email-Worm.Win32.VB.bi, Blackmail, WORM_GREW.A
Category:<http://www.f-secure.com/v-descs/vb_bi.shtml>
*Virus* Platform: <http://www.f-secure.com/v-descs/vb_bi.shtml>*Win32*
*Summary*

Email-Worm.Win32.VB.bi is a mass-mailing worm that also tries to spread
using remote shares. It also tries to disable security-related software.
*Detailed Description*

*Installation to system*

Email-Worm.Win32.VB.bi is written in Visual Basic and compiled as p-code.
The size of the main executable is about 95 kilobytes. When executed, it
first copies itself to several locations:

*%Windows%\rundll16.exe
%System%\scanregw.exe
%System%\Update.exe
%System%\Winzip.exe*

where '%Windows%' presents the system Windows folder. In Windows XP systems,
it is usually *C:\WINDOWS*. '%System%' is the system32 folder.

The worm installs the following registry key for ensuring it will be started
on system startup:
*
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry" = "%System%\scanregw.exe"*

*
Spreading in e-mails*

The worm collects e-mail addresses from files with following extensions:
*
.HTM
.DBX
.EML
.MSG
.OFT
.NWS
.VCF
.MBX
.IMH
.TXT
.MSF*

And from the files with the following string in name:
*
CONTENT
TEMPORARY*

The worm sends itself as attachment in the infected e-mail.

The e-mail subject is one the following:
*
The Best Videoclip Ever
School girl fantasies gone bad
A Great Video
F* Kama Sutra pics
Arab sex DSC-00465.jpg
give me a kiss
*Hot Movie*
Fw: Funny :)
Fwd: Photo
Fwd: image.jpg
Fw: Sexy
Re:
Fw:
Part 1 of 6 Video clipe
You Must View This Videoclip!
Miss Lebanon 2006
Re: Sex Video
My photos*

The message body may be one of the following:

*Note: forwarded message attached.
Hot XXX Yahoo Groups
F* Kama Sutra pics
ready to be F*CKED ;)
Note: forwarded message attached.
forwarded message attached.
VIDEOS! FREE! (US$ 0,00)
i attached the details. Thank you.
Post by Archis Gore
forwarded message
----- forwarded message -----
i just any one see my photos. It's Free :)*

The worm can attach itself as executable file. It uses one the following
names in attachment:

*007.pif
School.pif
04.pif
photo.pif
DSC-00465.Pif
image04.pif
677.pif
New_Document_file.pif
eBook.PIF
document.pif
DSC-00465.pIf*

Sometimes, the worm MIME-encodes the file. In these cases, the attachment
name can be
one of the following:

*Attachments[001].B64
3.92315089702606E02.UUE
SeX.mim
Original Message.B64
WinZip.BHX
eBook.Uu
Word_Document.hqx
Word_Document.uu*

The filename inside MIME-encoding is one of the following:

*Attachments[001].B64 [spaces] .sCR
3.92315089702606E02.UUE [spaces] .sCR
SeX,zip [spaces] .sCR
WinZip.zip [spaces] .sCR
ATT01.zip [spaces] .sCR
WinZip.zip [spaces] .sCR
Word.zip [spaces] .sCR
Word XP.zip [spaces] .sCR*

*
Spreading in shared folders*

The worm searches for remote shared folders and tries to copy itself using
one of the following filenames:
*
\Admin$\WINZIP_TMP.exe
\c$\WINZIP_TMP.exe
\c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip
Quick Pick.exe*

*
Other details*

The worm attempts to disable several security-related programs.

* Back to the Top <http://www.f-secure.com/v-descs/vb_bi.shtml#top> *

*Write-up: *Jarkko Turkulainen

*Technical Details: *Jarkko Turkulainen, January 18, 2006

*Description Updated: *Alexey Podrezov, January 26, 2006

*F-Secure Corporation*

* Description Index* Select from the list A B C D E F G H I J K L M N
O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0 Other Latest 50 * Security
Info*
Security Information Center <http://www.f-secure.com/virus-info/> Virus
News <http://www.f-secure.com/virus-info/virus-news/> Virus
Descriptions<http://www.f-secure.com/v-descs/> Hoax
Descriptions <http://www.f-secure.com/virus-info/hoax/> Spyware
Descriptions <http://www.f-secure.com/sw-desc/> Viruslab
Weblog<http://www.f-secure.com/weblog/> Virus
Statistics <http://www.f-secure.com/virus-info/statistics/> Virus Screen
Shots <http://www.f-secure.com/virus-info/v-pics/> Malware Code
Glossary<http://www.f-secure.com/virus-info/glossary.shtml> Security
Tips <http://www.f-secure.com/virus-info/tips.shtml> Viruses in the
Wild<http://www.f-secure.com/virus-info/wild.shtml> Virus
Removal Tools <http://www.f-secure.com/download-purchase/tools.shtml>



[image: Privacy Policy] <http://www.f-secure.com/privacy_policy.shtml>
[image: Legal Notices] <http://www.f-secure.com/legal_notices.shtml>
[image: Contact Us] <http://www.f-secure.com/contactus.shtml>
Post by Archis Gore
Dear BLUGies,
I just had 4 mails bounce off of bcslug that I
never sent saying that it does not allow attachments.
A bunch of jpegs seem to be attached to them. Does
anyone know how we might counter this issue? If anyone
notices such behaviour, can they just announce on the
list? Just so we know how far it's spread. We all know
Sriram's had been spoofed. Anyone else out there?
Moreover, the subjects of the threads of my previous
post were maintained to make it look legitimate.
Yours sincerely,
Archis
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
________________________________
YAHOO! GROUPS LINKS
Visit your group "bcslug" on the web.
Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
________________________________
[Non-text portions of this message have been removed]






Yahoo! Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/bcslug/

<*> To unsubscribe from this group, send an email to:
bcslug-***@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/

Loading...