Re: Is this email a virus? (msg w/ jpeg & encrypted zip archive attachments)

From: Frank Slootweg (this_at_ddress.is.invalid)
Date: 07/22/04 

Date: 22 Jul 2004 14:09:20 GMT

  Most likely a virus and most likely W32/Bagle.AA.
  
  See for example the "Virus report" of 20 Jul 2004 on
<http://metro.com.mx/virusreport/report.cfm?>.

  Note: A simple Google search on "garry.zip" (without quotes) gave this
as the *second* hit (of only 23). That wasn't too hard, was it? :-(

  For W32/Bagle.AA aka W32.Beagle.X@mm see
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.x@mm.html
(again a simple search of Symantec's site on "W32/Bagle.AA" (without
quotes)).

  Why don't you scan the file and see if it contains the above mentioned
virus (or any other one for that matter)?

  Please also see http://www.justfuckinggoogleit.com/

Peter Pan <peter_pan@neverland.invalid> wrote:
> I received a strange email from an address I don't recorgnize. I suspect
> that it is either spam or a virus, but I'm not sure. I hope somebody can
> recognize it and tell me what it is (and how it is supposed to work).
>
> The email is a short HTML message with two MIME attachements:
>
> - a encrypted zip archive named Garry.zip
> - a small jpeg file which renders to an image with the word "Key"
> followed by a number
>
> The key in the jpeg file unlocks the zip archive. The latter contains:
>
> - an .exe file with a random-looking (alphabetic) name
> - a .cfg file with a different random-looking (alphabetic) name
>
> The content of the .cfg file is binary.
>
> The HTML message body has almost nothing except an <img> tag referring
> to the jpeg in the attachment.
>
> Can somebody tell me what this is (and how it is supposed to work)?