Anyone seeing 21486 byte Attach.zip/password protected/.ex..

This message is not archived
 >> Stay informed about: Anyone seeing 21486 byte Attach.zip/password protected/.ex.. 

me DeleteThis @tadyatam.invalid wrote:

> Don Taylor wrote:
>
>>Subject: ello! =))
>>
>>I don't bite, weah!
>>
>>48028 -- archive password
>>
>>and a 21486 byte Attach.zip with password that contains gcqlk.exe.
>>
>>Latest Norton scan sees nothing, googling finds nothing, searching
>>AV sites turns up nothing.
>>
>>Spewed from Comcast with forged header claiming it is from
>>fp0@goaway.cc.monash.edu.au, as if that makes any difference.
>>
>>I ain't gonna execute that, mummy didn't raise the stupid children.
>
>
> 'Atta boy!
>
> Discovery date today, 3/3.
>
> It appears to be bagle/beagle, as the other replies note.
> A.k.a. I-Worm.Bagle.j, Beagle.A, Bagle.K, Bagle.Variant.Worm,
> Bagle.gen, ... (more?)
>
> J
Bagle.zz

--
William


If it don't work, hit it
If it still don't work, kick it
If it works after hitting it or kicking it, then it doesn't matter if
that helped, what's important is it worked.
 >> Stay informed about: Anyone seeing 21486 byte Attach.zip/password protected/.ex.. 

Big Will <SPAMWSPAMiSPAMlSPAMlSPAMBSPAM4SPAMeSPAMvSPAAAAAMeSPAMMITTYrSPAAAAAM DeleteThis @nIeDONTtLIKEzSPAMero.net> writes:
>me@tadyatam.invalid wrote:
>> Don Taylor wrote:
>>>Subject: ello! =))
>>>
>>>I don't bite, weah!
>>>
>>>48028 -- archive password
>>>
>>>and a 21486 byte Attach.zip with password that contains gcqlk.exe.
>>>
>>>Latest Norton scan sees nothing, googling finds nothing, searching
>>>AV sites turns up nothing.
>>>
>>>Spewed from Comcast with forged header claiming it is from
>>>fp0@goaway.cc.monash.edu.au, as if that makes any difference.
>>>
>>>I ain't gonna execute that, mummy didn't raise the stupid children.
>>
>> 'Atta boy!
>> Discovery date today, 3/3.
>>
>> It appears to be bagle/beagle, as the other replies note.
>> A.k.a. I-Worm.Bagle.j, Beagle.A, Bagle.K, Bagle.Variant.Worm,
>> Bagle.gen, ... (more?)
>>
>> J
>Bagle.zz

Went ahead and unzipped it. Once decrypted Norton saw it and killed it.
W32.Beagle.H

So the password/encryption on the zip is going to get these right past
all the virus checkers. Cute. Is this worth reporting? Where?

And the game goes to the next level.

Thanks to everyone for help with the diagnosis
 >> Stay informed about: Anyone seeing 21486 byte Attach.zip/password protected/.ex.. 

Don Taylor wrote:

> Big Will <SPAMWSPAMiSPAMlSPAMlSPAMBSPAM4SPAMeSPAMvSPAAAAAMeSPAMMITTYrSPAAAAAM.DeleteThis@nIeDONTtLIKEzSPAMero.net> writes:
>
>>me@tadyatam.invalid wrote:
>>
>>>Don Taylor wrote:
>>>
>>>>Subject: ello! =))
>>>>
>>>>I don't bite, weah!
>>>>
>>>>48028 -- archive password
>>>>
>>>>and a 21486 byte Attach.zip with password that contains gcqlk.exe.
>>>>
>>>>Latest Norton scan sees nothing, googling finds nothing, searching
>>>>AV sites turns up nothing.
>>>>
>>>>Spewed from Comcast with forged header claiming it is from
>>>>fp0@goaway.cc.monash.edu.au, as if that makes any difference.
>>>>
>>>>I ain't gonna execute that, mummy didn't raise the stupid children.
>>>
>>>'Atta boy!
>>>Discovery date today, 3/3.
>>>
>>>It appears to be bagle/beagle, as the other replies note.
>>>A.k.a. I-Worm.Bagle.j, Beagle.A, Bagle.K, Bagle.Variant.Worm,
>>>Bagle.gen, ... (more?)
>>>
>>>J
>>
>>Bagle.zz
>
>
> Went ahead and unzipped it. Once decrypted Norton saw it and killed it.
> W32.Beagle.H
>
> So the password/encryption on the zip is going to get these right past
> all the virus checkers. Cute. Is this worth reporting? Where?
>
> And the game goes to the next level.
>
> Thanks to everyone for help with the diagnosis
The next step would be to then set up filters to have attackments (sorry
Art) that have encrypted archives attatched to them to be automatically
deleted.

--
William


If it don't work, hit it
If it still don't work, kick it
If it works after hitting it or kicking it, then it doesn't matter if
that helped, what's important is it worked.
 >> Stay informed about: Anyone seeing 21486 byte Attach.zip/password protected/.ex.. 

"Don Taylor" <dont.RemoveThis@agora.rdrop.com> wrote in message
news:3N6dncEgkvdd-NvdRVn-vg@scnresearch.com...
> Subject: ello! =))
>
> I don't bite, weah!
>
> 48028 -- archive password
>
> and a 21486 byte Attach.zip with password that contains gcqlk.exe.
>
> Latest Norton scan sees nothing, googling finds nothing, searching
> AV sites turns up nothing.
>
> Spewed from Comcast with forged header claiming it is from
> fp0.RemoveThis@goaway.cc.monash.edu.au, as if that makes any difference.
>
>
> I ain't gonna execute that, mummy didn't raise the stupid children.

For what its worth , lately I have been receiving a heap of suspicious mail
from all sorts of edu sites such as yours - Monash is one of many . I don't
normally communicate with anyone from any of these places so I have just
been using mailwasher and deleting them at the server .
 >> Stay informed about: Anyone seeing 21486 byte Attach.zip/password protected/.ex.. 

Bass wrote:

> "Don Taylor" <dont.TakeThisOut@agora.rdrop.com> wrote in message
> news:3N6dncEgkvdd-NvdRVn-vg@scnresearch.com...
>
>>Subject: ello! =))
>>
>>I don't bite, weah!
>>
>>48028 -- archive password
>>
>>and a 21486 byte Attach.zip with password that contains gcqlk.exe.
>>
>>Latest Norton scan sees nothing, googling finds nothing, searching
>>AV sites turns up nothing.
>>
>>Spewed from Comcast with forged header claiming it is from
>>fp0@goaway.cc.monash.edu.au, as if that makes any difference.
>>
>>
>>I ain't gonna execute that, mummy didn't raise the stupid children.
>
>
> For what its worth , lately I have been receiving a heap of suspicious mail
> from all sorts of edu sites such as yours - Monash is one of many . I don't
> normally communicate with anyone from any of these places so I have just
> been using mailwasher and deleting them at the server .
>
>
>
>
Did you trace IPs back to these .edu domains, or did you just go by the
from field?

--
William


If it don't work, hit it
If it still don't work, kick it
If it works after hitting it or kicking it, then it doesn't matter if
that helped, what's important is it worked.
 >> Stay informed about: Anyone seeing 21486 byte Attach.zip/password protected/.ex.. 

"Big Will"
<SPAMWSPAMiSPAMlSPAMlSPAMBSPAM4SPAMeSPAMvSPAAAAAMeSPAMMITTYrSPAAAAAM@nIeDONT
tLIKEzSPAMero.net> wrote in message news:40467fa7$1@darkstar...
> Bass wrote:
>
> > "Don Taylor" <dont DeleteThis @agora.rdrop.com> wrote in message
> > news:3N6dncEgkvdd-NvdRVn-vg@scnresearch.com...
> >
> >>Subject: ello! =))
> >>
> >>I don't bite, weah!
> >>
> >>48028 -- archive password
> >>
> >>and a 21486 byte Attach.zip with password that contains gcqlk.exe.
> >>
> >>Latest Norton scan sees nothing, googling finds nothing, searching
> >>AV sites turns up nothing.
> >>
> >>Spewed from Comcast with forged header claiming it is from
> >>fp0@goaway.cc.monash.edu.au, as if that makes any difference.
> >>
> >>
> >>I ain't gonna execute that, mummy didn't raise the stupid children.
> >
> >
> > For what its worth , lately I have been receiving a heap of suspicious
mail
> > from all sorts of edu sites such as yours - Monash is one of many . I
don't
> > normally communicate with anyone from any of these places so I have just
> > been using mailwasher and deleting them at the server .
> >
> >
> >
> >
> Did you trace IPs back to these .edu domains, or did you just go by the
> from field?
>
> --
> William
>
>
> If it don't work, hit it
> If it still don't work, kick it
> If it works after hitting it or kicking it, then it doesn't matter if
> that helped, what's important is it worked.

hi William , no I didn't trace back , I just went on the from field , which
I know doesn't mean much in these cases . But strange that they all seem to
come from edu domains . Because these messages aren't from anyone I know and
they look suspicious plus they all carry attachments I just delete em at the
server .
Bass
 >> Stay informed about: Anyone seeing 21486 byte Attach.zip/password protected/.ex.. 

i just got this too....
how does something like this spread?
are people actually opening zip files and running randomly named exe's??
it's completely insane.
 >> Stay informed about: Anyone seeing 21486 byte Attach.zip/password protected/.ex.. 

mat wrote:

> i just got this too....
> how does something like this spread?
> are people actually opening zip files and running randomly named exe's??
> it's completely insane.
Yup. This is the product of stupid people on the internet.

--
William


If it don't work, hit it
If it still don't work, kick it
If it works after hitting it or kicking it, then it doesn't matter if
that helped, what's important is it worked.
 >> Stay informed about: Anyone seeing 21486 byte Attach.zip/password protected/.ex.. 

Not surprising really, the average computer user is non technical and simply
isn't aware of these issues. At some point in time the provider either
voluntarily or by legislation will do more to control the spread of all
sorts of malware.
"mat" <matpalm.DeleteThis@yahoo.com> wrote in message
news:212fa4a5.0403141524.331890ba@posting.google.com...
> i just got this too....
> how does something like this spread?
> are people actually opening zip files and running randomly named exe's??
> it's completely insane.
 >> Stay informed about: Anyone seeing 21486 byte Attach.zip/password protected/.ex.. 

"mat" <matpalm RemoveThis @yahoo.com> wrote in message news:212fa4a5.0403141524.331890ba@posting.google.com...

> i just got this too....how does something like this spread?

Like wildfire.

> are people actually opening zip files and running randomly named exe's??

Passworded zip files no less.

> it's completely insane.

Not really - completely insane would be to have the e-mail
client do so automatically. I often wondered about the idea
that Eudora was a safer client due to the fact that it required
more steps to be taken before the malware is executed by a
user - it has now been shown that users stop at nothing and
will go to great lengths to execute malware on their systems.
 >> Stay informed about: Anyone seeing 21486 byte Attach.zip/password protected/.ex.. 

<null.RemoveThis@zilch.com> wrote in message news:tmob50tlh8o8h72stvr5e580f121r2p3uv@4ax.com...
> On Mon, 15 Mar 2004 10:03:53 -0500, "FromTheRafters"
> <!0000@nomad.fake> wrote:
>
> >
> >"mat" <matpalm.RemoveThis@yahoo.com> wrote in message news:212fa4a5.0403141524.331890ba@posting.google.com...
> >
> >> i just got this too....how does something like this spread?
> >
> >Like wildfire.
> >
> >> are people actually opening zip files and running randomly named exe's??
> >
> >Passworded zip files no less.
> >
> >> it's completely insane.
> >
> >Not really - completely insane would be to have the e-mail
> >client do so automatically. I often wondered about the idea
> >that Eudora was a safer client due to the fact that it required
> >more steps to be taken before the malware is executed by a
> >user - it has now been shown that users stop at nothing and
> >will go to great lengths to execute malware on their systems.
>
> The idea is that sane apps are immune from malware no matter what the
> user does while using the app. Sane apps force the user to Save
> attackments, then either minimize the app or Exit from it, and then go
> into Explorer, find the test folder and the file, and double click in
> order to get zapped. In the case of zip attackments there's an
> additional step or two.

If they have decided to run the attachment, what difference does it
make? This is like the Linux zealots saying that viruses won't work
on Linux because you have to set them as executable. Users will
(with the developers help) find a way to make things easier for
themselves and malware to use their computers.

> So, users with any kind of clue at all concerning the dangers of email
> attackments are protected from inadvertent clcking. That's the idea.

Obviously, inadvertent clicking isn't the problem - it is the purposeful
running of attachments that would be better residing in the bit bucket
that is the problem.

> And those without any clue at all may not even know how to get zapped
> when using a sane email app

Sure, but a really sane e-mail app wouldn't allow any attachments
in the first place - there are already enough ways to transfer files
over the network.

> The problem is convincing the public
> that they would be far better off using sane apps.

Truer words have never been spoken. :O)
 >> Stay informed about: Anyone seeing 21486 byte Attach.zip/password protected/.ex.. 

<null RemoveThis @zilch.com> wrote in message news:5e0e50pg4uc118e7h6ekon7fr5u2bceai5@4ax.com...
> On Mon, 15 Mar 2004 22:24:27 -0500, "FromTheRafters"
> <!0000@nomad.fake> wrote:

[snip]

> But how are they put them in the bit bucket?

Delete them, pipe them to the null device.

> >> And those without any clue at all may not even know how to get zapped
> >> when using a sane email app
> >
> >Sure, but a really sane e-mail app wouldn't allow any attachments
> >in the first place - there are already enough ways to transfer files
> >over the network.
>
> Oh? You expect that users would put up with apps that don't allow the
> freedom of sending JPG's to their friends via email? I think you're
> dreaming

No, I don't expect that any more than you expect anyone to give
up OE's useful HTML, Scripting, and ActiveX enhancements. ;o)

....but sane would be textual e-mail only by the KISS method.
 >> Stay informed about: Anyone seeing 21486 byte Attach.zip/password protected/.ex..