Question on email virus in Outlook Express

Brian Densmore DensmoreB at ctbsonline.com
Mon Apr 1 15:02:18 CST 2002 

Also the from domain doesn't appear to exist. Probably a spoofed
address.
I couldn't resolve a name in the address space. The mail came from an
unnamed mail server; not sure how that is possible. Also this doesn't
look like an html e-mail. It looks like a M$ virus file. Note the
multipart/alternative format. Very common attack method. Although it
could be some binary file like realplayer or something (still, I doubt
it).

Brian

> -----Original Message-----
> From: hanasaki [mailto:hanasaki at hanaden.com]
> Sent: Sunday, March 31, 2002 8:29 AM
> To: KCLUG (E-mail)
> Subject: Question on email virus in Outlook Express
> 
> 
> The below showed up in my email logs the other day.  Could someone 
> please help?  Is this a known virus?  What is it?
> 
> ==========================================
> 2002-03-29 01:51:15 16qrAG-0001bN-00 rejected from 
> (hawk.chinabyte.com) 
> [211.167
> .73.209]: there is no valid sender in any header line 
> (envelope sender 
> is <nobod
> y2 at chinabyte.com>)
> Recipients: hanasaki at hanaden.com
> P Received: from [211.167.73.209] (helo=hawk.chinabyte.com)
>          by portal with smtp (Exim 3.33 #3 (Debian))
>          id 16qrAG-0001bN-00
>          for <hanasaki at hanaden.com>; Fri, 29 Mar 2002 01:51:12 -0600
> P Received: (qmail 3867 invoked from network); 29 Mar 2002 
> 05:48:51 -0000
> P Received: from unknown (HELO ??????) (211.158.14.81)
>    by 0 with SMTP; 29 Mar 2002 05:48:51 -0000
> R Reply-To: "<C3><B4><C3><B4><C3><DB>"<<C3><B4><C3><B4><C3><DB>>
> F From: "<C3><B4><C3><B4><C3><DB>"<<C3><B4><C3><B4><C3><DB>>
> T To: han at 263.net
>    Subject: 
> <B6><D4>263<C3><E2><B7><D1><D3><CA><BC><FE><B2><BB><D4><D9><D3><D0>
> <B5><C4><B9><D8><D7><A2><A3><AC><CF><EB><D4><F5><C3><B4><D7><F
> 6><BE><CD><D4><F5>
> <C3><B4><D7><F6><A3><A1>
>    Date: Fri,29 Mar 2002 13:35:57 +0800
> * Return-Path: "<C3><B4><C3><B4><C3><DB>"<<C3><B4><C3><B4><C3><DB>>
>    X-Mailer: Microsoft Outlook Express
>    Content-Type: multipart/related;
>          boundary="----=_NextPart_000_0011_01C1D2D6.5DEEF420";
>          type="multipart/alternative"
>    X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
> I Message-Id: <E16qrAG-0001bN-00 at portal>
> 
> -- 
> = hanasaki at hanaden.com                                          =
> =     Spam : Unhealthy and High in Sodium and Cholesterol       =
> 
> 
> 
> majordomo at kclug.org
>

More information about the Kclug mailing list