RE: Help: Weird email received & E-Safe Alert

From: Fernando Cardoso (fernando.cardosoat_private)
Date: Thu Oct 04 2001 - 11:01:39 PDT

  • Next message: aleph1at_private: "RE: WARNING: Trojan Horse Disguised as Message from SecurityFocus and TrendMicro"

    If I have to guess about the mail, I would say it was Magistr virus. In
    certain circumstances, Magistr mangles the mail it tries to send, making
    this garbage you received. The Subject and body is taken from a random
    document on the infected box. It can be anything, from a Word Document to a
    text file, so the theory that is a RTF file is probably correct.
    
    Cheers
    
    Fernando
    
    --
    Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
    Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso 6
    Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
    email : fernando.cardosoat_private     http://www.whatevernet.com/
    
    >
    > 1)
    >
    > We received an email from someone else with only the following in the
    > mail:
    >
    > ##################################################################
    > #######################
    > <snip>
    > Sent: Friday, September 28, 2001 3:04 PM
    > Subject: Be sure to answer.
    >
    > \par }\pard \qj\widctlpar{\*\pn \pnlvlcont\pndec }{\fs24\lang2057
    >
    > \par {\pntext\pard\plain\f1 \'b7\tab}}\pard
    > \qj\fi-283\li283\widctlpar{\*\pn \pnlvlblt\pnf1\pnindent283
    > {\pntxtb \'b7}}{\fs24\lang2057 Create a new file.
    >
    > \par }\pard \qj\widctlpar{\*\pn \pnlvlcont\pndec }{\fs24\lang2057
    >
    > \par The new command \ldblquote Scan Text\rdblquote  has been added to
    > the \ldblquote File\rdblquote
    > menu.
    >
    > \par
    >
    > \par
    >
    > \par }{\b\fs30\lang2057 C. Excel 2000 (Office 2000) and Excel 97 (Office
    > 97)
    >
    > \par }{\fs24\lang2057
    >
    > \par Start Excel.
    >
    > ##################################################################
    > ########################
    >
    > My questions are :
    >
    > - WTF is this ? or What was it suppose to be ?
    > - What does the above code try to do ?
    >
    > I suppose this couldve just been an accident, I haven't mailed the
    > sender for his input yet. Just thought I'll add it into the email along
    > with my other question.
    >
    
    
    _____________________________________________________________________
                          INTERNET MAIL FOOTER 
    A presente mensagem pode conter informação considerada confidencial.
    Se o receptor desta mensagem não for o destinatário indicado, fica
    expressamente proibido de copiar ou endereçar a mensagem a terceiros.
    Em tal situação, o receptor deverá destruir a presente mensagem e por
    gentileza informar o emissor de tal facto.
    ---------------------------------------------------------------------
    Privileged or confidential information may be contained in this
    message. If you are not the addressee indicated in this message, you
    may not copy or deliver this message to anyone. In such case, you
    should destroy this message and kindly notify the sender by reply
    email.
    ---------------------------------------------------------------------
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 11:13:10 PDT