Hi folks This *is* a worm. Check out viruslist.com for more info: http://www.viruslist.com/eng/viruslist.asp?id=4188&key=00001000130000100072 In the meantime, this is some of the info that gets sent back to the creator/s: Remote access password and logins Local network logins and passwords BCSoft NetLaunch, PySoft AutoConnect and CureFtp information (if installed) Netscape, TheBat! system parameters (if installed) List of FAR ftp servers (if installed) FIDO TMail passwords (if installed) as well as system configuration and other information about the system ----- Original message ----- From: Portnoy, Gary <gportnoyat_private> To: INCIDENTSat_private Received: 25/04/01 2:38:39 AM Subject: Re: attachment; filename="photo1.jpg.pif" >Here is what the text says, loosely translated: > >"Hi! >I got your email address from a common friend (your was the first address he >thought of). I just got on the internet for the first time and just got >this email address. I am writing my first email! My friend told me that if >I have any questions, I could ask you. I am cute and friendly (look at the >photo attached). I'll be waiting for a response from you. Write me a >little info about yourself and what more you want to know about me. Bye-bye >:))))))) " > >My guess, if the file is not a virus, that this is some kind of a mail-order >bride rig, or an attempt to get you to reveal info about yourself. Maybe if >you carry on some sort of conversation with her, she'd ask you for CC # or >something... > >Later > >-----Original Message----- >From: Dzzie Z [mailto:dzzieat_private] >Sent: Tuesday, April 24, 2001 2:39 AM >To: INCIDENTSat_private >Subject: attachment; filename="photo1.jpg.pif" > > >hey guys > >today I got a this mail and was wondering if anyone else >on the lists here have gotten a similar one. > >I dont have the font installed for the (presumably) >russian txt but I find it pretty unlikely that a plain ole >spammer would be using tricks like "photo1.jpg.pif" > >i peeked at the unencoded binary (60k) file, and the headers >definatly dont look like any of the other pif file on my >system, and they dont quite look like a c++ file either. >I dunno. glad for text only mailers though : ) > >anyone else seen this m/o ? > >contact me off list if you want >the mimed file. > > >+OK 87078 octets >X-Apparently-To: dzzieat_private via web11102 >X-Track: 10: 40 >Received: from mx5.port.ru (EHLO smtp5.port.ru) (194.67.23.40) > by mta495.mail.yahoo.com with SMTP; 23 Apr 2001 22:11:39 -0700 (PDT) >Received: from [212.96.196.64] (helo=smtp.mail.ru) > by smtp5.port.ru with smtp (Exim 3.14 #3) > id 14rv68-000EK9-00 > for dzzieat_private; Tue, 24 Apr 2001 09:10:49 +0400 >Received: from 2-193.dialup.comset.net (2-193.dialup.comset.net >[213.172.2.193]) > by smtp.mail.ru (8.11.1/8.11.1) with ESMTP >From: Света Ковалева <bipwdkrat_private> >X-Mailer: The Bat! (v1.42f) >X-Priority: 3 (Normal) >To: <dzzieat_private> >Subject: Привет!!! >Mime-Version: 1.0 >Content-Type: multipart/mixed; boundary="----------6D16C1DFC68B15F" >Message-Id: <E14rv68-000EK9-00at_private> >Date: Tue, 24 Apr 2001 09:10:49 +0400 > >------------6D16C1DFC68B15F >Content-Type: text/plain; charset=koi8-r >Content-Transfer-Encoding: 8bit > >Привет! >Твой адрес мне дал один наш общий друг ( первый адрес , который ему пришел >в голову). >Я недавно в интернете и только что получила этот почтовый ящик! >Так что я первый раз пишу электронное письмо!!! >Он сказал что если у меня возникнут вопросы, то я могу спрашивать у тебя... >Я довольно симпатичная и общительная. >(можешь на фото посмотреть) >Жду ответа от тебя!!! >Напиши немного себе и то что ты хочешь знать обо мне. >Пока! Пока! >:))))))))) >------------6D16C1DFC68B15F >Content-Type: application/octet-stream; name="photo1.jpg.pif" >Content-Transfer-Encoding: base64 >Content-Disposition: attachment; filename="photo1.jpg.pif" > ----- End of original message ----- ----------------------------------------------------------------------------------------- This message was sent by Visual Mail 2.0(2.009) Copyright ╘ 1997-2001 JPSoft DK It's a beta, but it shows great promise Check Visual Mail out at http://www.jpsoft.dk (This is a modified default sig) -----------------------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 07:52:00 PDT
![gportnoyat_private](mailto:gportnoyat_private?Subject=Re:%20attachment;%20filename="photo1.jpg.pif"&In-Reply-To=<0e3cf5707231841AUS-MAIL2@aus-mail2.austar.net.au>){kind=link}
![INCIDENTSat_private](mailto:INCIDENTSat_private?Subject=Re:%20attachment;%20filename="photo1.jpg.pif"&In-Reply-To=<0e3cf5707231841AUS-MAIL2@aus-mail2.austar.net.au>){kind=link}
![dzzieat_private](mailto:dzzieat_private?Subject=Re:%20attachment;%20filename="photo1.jpg.pif"&In-Reply-To=<0e3cf5707231841AUS-MAIL2@aus-mail2.austar.net.au>){kind=link}
![bipwdkrat_private](mailto:bipwdkrat_private?Subject=Re:%20attachment;%20filename="photo1.jpg.pif"&In-Reply-To=<0e3cf5707231841AUS-MAIL2@aus-mail2.austar.net.au>){kind=link}
![E14rv68-000EK9-00at_private](mailto:E14rv68-000EK9-00at_private?Subject=Re:%20attachment;%20filename="photo1.jpg.pif"&In-Reply-To=<0e3cf5707231841AUS-MAIL2@aus-mail2.austar.net.au>){kind=link}