Re: [Full-Disclosure] weird worm ?

sebastian_at_jawmail.org
Date: 12/31/03

  • Next message: dwr3ck_at_hushmail.com: "[Full-Disclosure] RE: Disabling Cached Logon Credentials" 
    To: <full-disclosure@lists.netsys.com>
Date: Wed, 31 Dec 2003 08:47:46 +0100

    Yep, your're right. Here is a sample. It actually contains more than just a
    graphic. I wonder what this %RND_IMA is doing in the link...

    Have a happy new year ;)

    Sebastian
    -------------------------------------------------------- SAMPLE

    Received: from ip175.31.1411i-cud12k-01.ish.de (ip175.31.1411I-CUD12K-01.ish.de
    [62.143.31.175])
            by smtpin0.mail.de.uu.net (8.12.10/8.12.10) with SMTP id hBV66x92018454
            for <dietz@dimecs.de>; Wed, 31 Dec 2003 06:07:01 GMT
    Received: from [62.143.31.175] by e-hostzz.netIP with HTTP;
            Wed, 31 Dec 2003 00:00:28 -0600
    From: "Mercer Bobbie" <bkysnuyxsseel@el-nacional.com>
    To: sebastian@jawmail.org
    Subject: Re: GPG, than ten times
    Mime-Version: 1.0
    X-Mailer: mPOP Web-Mail 2.19
    X-Originating-IP: [e-hostzz.netIP]
    Date: Wed, 31 Dec 2003 05:03:28 -0100
    Reply-To: "Mercer Bobbie" <bkysnuyxsseel@el-nacional.com>
    Content-Type: multipart/alternative;
            boundary="--ALT--ZTOU98846311270408"
    Message-Id: <PIKUKTE-0009657754126@bindery>
    X-Spam-Status: No, hits=4.3 required=5.0 tests=BAYES_60,DNS_FROM_RFCI_DSN,
            HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_SORBS
            autolearn=no version=2.60
    X-Spam-Level: ****
    X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
            frisbee

    ----ALT--ZTOU98846311270408
    Content-Type: text/plain; charset=us-ascii
    Content-Transfer-Encoding: 8bit

    brisk veterinarian church generic spicebush allegheny cairn inmate pestilent
    tioga
    forbidding nepal baritone acm bahama dibble contemptuous
    capitulate adamson simons ibis

    ----ALT--ZTOU98846311270408
    Content-Type: text/html; charset=us-ascii
    Content-Transfer-Encoding: 8bit

    <HTML><HEAD>
    <BODY>
    <p>Ban</presidential>ned C</saddlebag>D Gov</breakdown>ernment d</darpa>on't
    wan</scrounge>t m</cowlick>e t</emigrant>o s</seafood>ell i</square>t.
    Se</tariff>e N</breastwork>ow +</p>
    <a href="http://www.e-hostzz.net/cd/">
    <img border="0" src="http://www.e-hostzz.net/cd/%RND_IMA"></a>
    jefferson cyrus royce cachalot cramp avery cancellate edith eclipse abominate
    crux offsaddle prefecture bela twinkle forgave insistent needful smoky kittle
    egypt coefficient tipple brahmsian rudimentary <BR>
    pine chatty aliquot biddable avow benson blurb closeup continuous amok agenda
    pulpit bolivar inarticulate chantry sarah coaxial humidistat <BR>
    marseilles scrupulous recital pigeonberry spray jitterbug applejack carlyle
    salem embank plucky <BR>
    elba cryptography eighth directory bilabial otto deactivate sluggish arcane
    daze quaternary honorary dorset ccny veneer extolling crack manley referring
    repugnant bigelow cyclopean <BR>
    greenblatt decollimate commemorate broomcorn shipbuild vessel analogy
    generosity angel uris steam colatitude referendum bull caution whiten starfish
    birthright americium koala latus agee animadversion hesitate investigatory
    regrettable causation olivine <BR>
    conformation testimony embark acrobacy transcription compete aitken utah
    referring melissa cartwheel charles cheerlead croatia cationic larceny acquaint
    gascony marcia moderate individualism riflemen du <BR>
    flute gave hydrostatic denmark book dwarf concocter alfresco arragon
    contraceptive infantry alcoholism hebrew waybill straggle prexy dementia honest
    auberge cant elector aggregate countervail deerskin automobile birthday
    isotropic sahara chang mannerism nob lars allis <BR>
    film starr contention bamako artisan gettysburg fontainebleau retaliatory joel
    candidacy mensuration arcsin boor didn't coddington episode ta robe acquiescent
    grill infernal sterling phase complaisant definitive prince septuagenarian
    <BR>
    atwood disburse tidal lundquist brickbat generic whack leadsman compass
    solenoid alloy sergeant stokes fortiori leadsman brassy capacitate andesite
    sadie carven <BR>
    hospice aides johns argon polyhymnia buchenwald toilet abysmal sims somewhat
    talcum respectful hanford componentry incise airlock downside codeword
    happenstance wake palmetto flashback charon templeton desk <BR>
    summon parakeet pbs radices shuddery clutter fredericks selenite pecuniary
    origin telex ingestible necessity dispensary chlorine typo bullwhack germicide
    pillar travesty floe rain agglutinin irk assimilate chautauqua circumferential
    little <BR>

    </BODY>
    </HTML>

    ----ALT--ZTOU98846311270408--

    --------------------------------------------------------

    > While I agree in general with your comments and interpretation, I'd
    > point out that _many_ of these type of messages I've seen, and as
    > reported by others, do contain a text/html component that usually
    > consists of a short ad message or (mostly what I have seen) a link to a
    > graphic (which is presumably the actual spammed advertisement) _plus_
    > the random word list ("hidden" with text the same colour as the
    > background). A couple of months ago (?), when this tactic was first
    > being reported I only saw the text-only form with no advertising
    > component, but it seems (from an informal sampling of my recent
    > received spam) that such messages with advertising content are more
    > common now.
    >
    >
    > Regards,
    >
    > Nick FitzGerald
     

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: dwr3ck_at_hushmail.com: "[Full-Disclosure] RE: Disabling Cached Logon Credentials"
    • Quantcast