This email was received today

Discussion in 'Spyware' started by ~BD~, May 10, 2011.

  1. ~BD~

    ~BD~ Guest

    You will see in the message info. below that this email was addressed as
    shown:

    To: <>

    How can it have arrived in *my* inbox (I'm BoaterDave at hotmail.co.uk)

    Responses will be appreciated! :)

    Dave


    X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtTQ0w9NA==

    X-Message-Status: n

    X-SID-PRA: Consult Group <>

    X-AUTH-Result: NONE

    X-Message-Info:
    0Lct38uk7fNgtofsjpqeOfgZ9Fh36wMjo1pYR2Ses/6enIJtG/uHICHSXn2TuQawEuQM+7daFjHjDiYjW6YtXhnS476yUsP/rCLfmZGVMb7q4BAibjyKlA==

    Received: from mailex.mailcore.me ([94.136.40.61]) by
    col0-mc4-f20.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);

    Tue, 10 May 2011 00:43:59 -0700

    Received: from noc.maximuma.net ([91.196.148.8])

    by mail10.atlas.pipex.net with esmtpa (Exim 4.71)

    (envelope-from <>)

    id 1QJhbq-0005w9-GL; Tue, 10 May 2011 08:43:58 +0100

    Received: from [91.196.148.8] by noc.maximuma.net id YTMGv1wyVvdf with
    SMTP; Tue, 10 May 2011 10:43:57 +0300

    Date: Tue, 10 May 2011 10:43:57 +0300

    From: "Consult Group" <>

    X-Mailer: The Bat! (v4.8.76.3) Educational

    X-Priority: 3 (Normal)

    Message-ID: <>

    To: <>

    Subject: Your order reference is 37852

    MIME-Version: 1.0

    Content-Type: text/plain;

    charset="windows-1252"

    Content-Transfer-Encoding: 8bit

    X-Mailcore-Auth: 8588484

    X-Mailcore-Domain: 931887

    Return-Path:

    X-OriginalArrivalTime: 10 May 2011 07:44:00.0315 (UTC)
    FILETIME=[069D70B0:01CC0EE6]









    Dear, Customer



    Thank you for the order,

    id: 54850152.



    Your credit card will be charged for 734 dollars.



    Information about the order and delivery located at:



    http://radiolunaser.com/order2/Order.zip?to_client:



    ____________________________

    Best regards, ticket service.

    Tel./Fax.: (882) 701 46 502
     
    ~BD~, May 10, 2011
    #1
    1. Advertisements

  2. ~BD~

    Mike Easter Guest

    Short version:

    What the mail recipient sees in the To: field is only what the sender
    constructed/configured to populate the To: field. A great many other
    recipients can receive the same mail.

    Another version:

    If you (yourself with your mail agent) construct a mail to send to a
    great many recipients, it is not necessary (nor wise nor polite) to put
    all of your recipients into the To: field. Instead you can put all of
    them into the BCC field. Or you can put one of them into the To: field
    and then all of the recipients you included in the BCC field will get a
    mail showing that person's To:

    Another version:

    For some discussions, it is useful to consider the concept of what some
    call the 'smtp envelope' which is a series of transactions between the
    sender and the smtp server. Those elements consist of HELO, MAIL FROM,
    RCPT TO, and DATA. The information concerning who is to receive the mail
    is in the RCPT TO part. The information about the structure of the mail
    such as subject and from and to and cc is contained in the DATA section.
     
    Mike Easter, May 10, 2011
    #2
    1. Advertisements

  3. ~BD~

    Mike Easter Guest

    The payload is Order.zip.

    This is the result of testing that file at VirusTotal

    http://bit.ly/ir4ZDf+ (previewable)

    The contents are an Order.Doc file which has 5/43 positives

    ClamAV Suspect.DoubleExtension-zippwd-12
    Kaspersky Trojan-Spy.Win32.SpyEyes.hdy
    NOD32 a variant of Win32/Kryptik.NON
    Sophos Mal/BredoZp-B
    VIPRE FraudTool.Win32.AVSoft (v)

    If you were so inclined, you could carefully examine the .doc.
     
    Mike Easter, May 10, 2011
    #3
  4. Please stop feeding the BD troll.

    You are also wrong. The file is NOT a DOC file it is an EXE file.
    Order.Doc_______________________________________________________________________.exe

    Also in the future, please obfuscate malicious URLs and don't use shortened URLs via
    Libya.

    This malware copies itself to;
    C:\Recycle.Bin\Recycle.Bin.exe
    creates;
    C:\Recycle.Bin\config.bin

    It hooks into many running processes.

    It communicates to; csgametome2.com via TCP port 444
    as well as uploading encrypted data via; /~a?brvalg/g?ate.php

    It creates a Mutex of; 2HiH8UlWBE0Me8DueMgM0VQKflf280p
     
    David H. Lipman, May 10, 2011
    #4
  5. ~BD~

    ASCII Guest

    Under properties it says the description is;
    [Xcrevq Skybeorm Fdxppy]
    with a file version of [24.97.118.11]
    which resolves to [rrcs-24-97-118-11.nys.biz.rr.com]
    And runs as KKA5C.exe but I don't know yet what it's doing or trying.
     
    ASCII, May 10, 2011
    #5
  6. ~BD~

    ~BD~ Guest

    I understand. Thanks, Mike.
    I'll ponder on that info. Thanks again. :)
     
    ~BD~, May 10, 2011
    #6
  7. ~BD~

    ~BD~ Guest

    Most interesting!

    As I'm currently aboard my narrowboat, with no back-up facilities, I'll
    not do anything which might put my computer out of action! I'll leave
    you clever folk to play with what I've put forward.

    <aside> I don't like the way Mr Lipman talks down to you Mike. It's
    totally unnecessary and provocative. He should be much more adult IMO.
     
    ~BD~, May 10, 2011
    #7
  8. ~BD~

    Mike Easter Guest

    I didn't take it out of the .zip archive. It is a somewhat boring (and
    embarrassing) story about how the file appeared in the gnome archive
    manager that misled me (allowed me to mislead myself) which I will tell
    on myself if anyone wants those details.

    It starts with the gnome File Roller filename display ending in an
    ellipse, like this 'Order.Doc...' and includes a filetype like this
    'DOS/Windo...' along with the date modified and filesize.

    If I expand the archive manager's field spaces, it not only shows the
    ..exe name but tells me in 'longhand' about the executable filetype:

    DOS/Windows executable
     
    Mike Easter, May 10, 2011
    #8
  9. ~BD~

    Peter Foldes Guest

    David

    Once and for all ,stop your stupid and unnecessary Trolling and enjoy your boat
    instead of starting crap as you always do for no reason what so ever

    --
    Peter
    Please Reply to Newsgroup for the benefit of others
    Requests for assistance by email can not and will not be acknowledged.
    This posting is provided "AS IS" with no warranties, and confers no rights.
    http://www.microsoft.com/protect
     
    Peter Foldes, May 10, 2011
    #9
  10. ~BD~

    Peter Foldes Guest



    You friggin bullshitter. You read the write up about this TODAY in the UK version of
    the following below

    http://hijack-this.co.uk/2011/05/new-malware-spam-order-zip/

    Why play this game BD. You are a real ugly Troll who should be gone from these
    groups

    --
    Peter
    Please Reply to Newsgroup for the benefit of others
    Requests for assistance by email can not and will not be acknowledged.
    This posting is provided "AS IS" with no warranties, and confers no rights.
    http://www.microsoft.com/protect
     
    Peter Foldes, May 10, 2011
    #10
  11. ~BD~

    Mike Easter Guest

    There's nothing - textwise - to copy and paste from there. Those are
    screenshot graphics.
     
    Mike Easter, May 10, 2011
    #11
  12. ~BD~

    ASCII Guest

    He shows condescension towards anyone not of the chosen.
    During his bris the elders warned him "this is just a reminder, play along,
    or we'll come back for the rest of it" <g>
     
    ASCII, May 10, 2011
    #12
  13. ~BD~

    ~BD~ Guest

    I'd like to understand more - please elucidate.
     
    ~BD~, May 10, 2011
    #13
  14. ~BD~

    Peter Foldes Guest


    I guess that flew by you Mike. BD will understand the point of that post as will
    others

    --
    Peter
    Please Reply to Newsgroup for the benefit of others
    Requests for assistance by email can not and will not be acknowledged.
    This posting is provided "AS IS" with no warranties, and confers no rights.
    http://www.microsoft.com/protect
     
    Peter Foldes, May 10, 2011
    #14
  15. ~BD~

    ~BD~ Guest

    This is no game Peter Foldes.

    I *always* tell the truth. You will swing for your crimes!
     
    ~BD~, May 10, 2011
    #15
  16. ~BD~

    Max Wachtel Guest


    the enemy of my friend is my enemy
    the friend of my enemy is my enemy
     
    Max Wachtel, May 10, 2011
    #16

  17. That statement is a lie.

    *NOBODY* "always" tells the truth. NOBODY!
     
    David H. Lipman, May 10, 2011
    #17
  18. ~BD~

    Dustin Guest

    Why tell him that? He's a stupid fuckhead, David. Should have suggested
    he try to open it. <G>
     
    Dustin, May 10, 2011
    #18
  19. ~BD~

    Dustin Guest

    Oh, Dazzle us with your wannabe researcher skills. Too fucking funny man.
     
    Dustin, May 10, 2011
    #19
  20. ~BD~

    ~BD~ Guest

    Are you now "in charge" here, Mr Foldes?

    Please remember that there is no obligation upon you to read my posts!

    I'm having great fun aboard at the moment, btw! :)
     
    ~BD~, May 11, 2011
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.