WARNING! SUSPICIOUS MAIL: Re: [Vorbis-dev] Returned mail: see
transcript for details
Ray Heasman
ray at isdmg.com
Mon Aug 21 10:50:21 PDT 2006
Just in case it is not obvious to anyone else, the referred message and
it's attached file are both extremely suspicious.
The zip file is doubly zipped and contains a windows executable. Running
strings on it finds the following:
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
USER32.dll
WS2_32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
I am not sure who has been compromised, given how easy it is to spoof
mail source addresses. Perhaps the vorbis-dev maintainers can look at
some headers? Did that message really come from giles?
-Ray
On Mon, 2006-08-21 at 19:30 +0200, giles at xiph.org wrote:
> Dear user of xiph.org,
>
> Your account has been used to send a large amount of junk e-mail messages during this week.
> Obviously, your computer was compromised and now contains a trojan proxy server.
>
> Please follow our instruction in the attached file in order to keep your computer safe.
>
> Virtually yours,
> xiph.org user support team.
>
> _______________________________________________
> Vorbis-dev mailing list
> Vorbis-dev at xiph.org
> http://lists.xiph.org/mailman/listinfo/vorbis-dev
More information about the Vorbis-dev
mailing list