Hi Yotam and all As Ryan alluded to, this shows typical signs of being a Magistr failed infection mail-out. In many cases the Magistr infection routine fails, yet it will still send attachments to all in the victims' address books. It will also at times add a word or text file to the e-mail and extract some sample text from the document to use as subject and body content. I have also noticed messages without document or text file attachents that contain text obviously extracted from a document on the victim system. One of the more complete descriptions of this virus can be found at: http://www.viruslist.com/eng/viruslist.asp?id=4170&key=00001000130000100067 However, I cannot explain the image/gif mime type misrepresentation. Cheers -----Original Message----- From: Yotam Rubin [mailto:yotamat_private] Sent: Wednesday, May 09, 2001 6:56 AM To: INCIDENTSat_private Subject: Suspect e-mail from bfrazzonat_private Gentle people, I have recently received a highly dubious e-mail from bfrazzonat_private The subject of the letter was "damaged. For more". Attached to the letter was a file named EDCREGC.EXE whose mime type was image/gif. Below is the content of the discussed message: " If you have a Plug-and-Play monitor:Check if the Windows 95 Monitor option button is selected and that Plug and Play Monitor (VESA DDC) appears immediately under it. If so, the MGA display driver automatically uses the correct settings for your monitor. If not, use Windows 95 monitor selection to use your monitor's default settings (see "Windows95 monitor selection"). " I have posted the entire message including headers at: http://192.117.130.34/Fendor/security/bruno-8-5-2001 You may find the attached binary at: http://192.117.130.34/Fendor/security/EDCREGC.EXE *snip* Enlightenments regarding this letter are highly solicited. Best Regards, Yotam Rubin
This archive was generated by hypermail 2b30 : Tue May 08 2001 - 21:44:18 PDT