Question on email virus in Outlook Express
Brian Densmore
DensmoreB at ctbsonline.com
Mon Apr 1 15:02:18 CST 2002
Also the from domain doesn't appear to exist. Probably a spoofed
address.
I couldn't resolve a name in the address space. The mail came from an
unnamed mail server; not sure how that is possible. Also this doesn't
look like an html e-mail. It looks like a M$ virus file. Note the
multipart/alternative format. Very common attack method. Although it
could be some binary file like realplayer or something (still, I doubt
it).
Brian
> -----Original Message-----
> From: hanasaki [mailto:hanasaki at hanaden.com]
> Sent: Sunday, March 31, 2002 8:29 AM
> To: KCLUG (E-mail)
> Subject: Question on email virus in Outlook Express
>
>
> The below showed up in my email logs the other day. Could someone
> please help? Is this a known virus? What is it?
>
> ==========================================
> 2002-03-29 01:51:15 16qrAG-0001bN-00 rejected from
> (hawk.chinabyte.com)
> [211.167
> .73.209]: there is no valid sender in any header line
> (envelope sender
> is <nobod
> y2 at chinabyte.com>)
> Recipients: hanasaki at hanaden.com
> P Received: from [211.167.73.209] (helo=hawk.chinabyte.com)
> by portal with smtp (Exim 3.33 #3 (Debian))
> id 16qrAG-0001bN-00
> for <hanasaki at hanaden.com>; Fri, 29 Mar 2002 01:51:12 -0600
> P Received: (qmail 3867 invoked from network); 29 Mar 2002
> 05:48:51 -0000
> P Received: from unknown (HELO ??????) (211.158.14.81)
> by 0 with SMTP; 29 Mar 2002 05:48:51 -0000
> R Reply-To: "<C3><B4><C3><B4><C3><DB>"<<C3><B4><C3><B4><C3><DB>>
> F From: "<C3><B4><C3><B4><C3><DB>"<<C3><B4><C3><B4><C3><DB>>
> T To: han at 263.net
> Subject:
> <B6><D4>263<C3><E2><B7><D1><D3><CA><BC><FE><B2><BB><D4><D9><D3><D0>
> <B5><C4><B9><D8><D7><A2><A3><AC><CF><EB><D4><F5><C3><B4><D7><F
> 6><BE><CD><D4><F5>
> <C3><B4><D7><F6><A3><A1>
> Date: Fri,29 Mar 2002 13:35:57 +0800
> * Return-Path: "<C3><B4><C3><B4><C3><DB>"<<C3><B4><C3><B4><C3><DB>>
> X-Mailer: Microsoft Outlook Express
> Content-Type: multipart/related;
> boundary="----=_NextPart_000_0011_01C1D2D6.5DEEF420";
> type="multipart/alternative"
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
> I Message-Id: <E16qrAG-0001bN-00 at portal>
>
> --
> = hanasaki at hanaden.com =
> = Spam : Unhealthy and High in Sodium and Cholesterol =
>
>
>
> majordomo at kclug.org
>
More information about the Kclug
mailing list