Hello Kelly Reid and group,

Kelly Reid wrote:
>
> Following is the properties from the email from sexyfun. I'm interested
> in knowing who this came from so that they can get their machine scanned.
>
> Any help would be appreciated
> [snap]

A few days ago I send an abuse message to abuseneonova.net
Apperently they have made a page because of the virus.

"We have setup a web site ( http://www.sexyfun.net/ ) that
contains information about this SPAM / Virus with helpful
links to other sites."

=----------=
        Mail I got back, including headers
=----------=

Message-ID: <kWkY5.51663$II2.4657409newsread2.prod.itd.earthlink.net>
Message-ID: <31s06.374$LN3.9345newsread2.prod.itd.earthlink.net>
        id 14Fzpd-00031G-00
        for digioverdsinet.org; Tue, 09 Jan 2001 14:33:01 +0000
Received: from localhost (heymoelocalhost)
        by nullspace.neonova.net (8.9.3/8.9.3) with ESMTP id JAA28169
        for <digioverdsinet.org>; Tue, 9 Jan 2001 09:46:19 -0500
Date: Tue, 9 Jan 2001 09:46:19 -0500 (EST)
From: Gary Moe <heymoenullspace.neonova.net>
To: Digital Overdrive <digioverdsinet.org>
Subject: Re: Spam Report (Virus)
In-Reply-To: <list-49728013neonova.net>
Message-ID:
<Pine.LNX.4.30.0101090946050.11243-100000nullspace.neonova.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Mozilla-Status: 8011
X-Mozilla-Status2: 00000000
X-UIDL: 7b2b37c6a22aca0de657edafc855b67e

Overdrive,

Here is a copy of a form letter we have been using to inform people
about
this email / SPAM / Virus that everyone is getting. If you have any
other
questions about this after you read and visit the URLs in the form
letter please feel free to write me back.. Thanks..

======= Start of form letter =======

==== THIS IS NOT A MAILING LIST OR A REAL USER THAT SENT ====
==== THE SPAM THAT CLAIMS TO BE FROM: hahahasexyfun.net ====
/ faked From: fields.

http://www.f-secure.com/v-descs/hybris.shtml

   The person who is responsible for this SPAM / Virus
spoofed the email address at the sexyfun.net domain. The
owner of the sexyfun.net domain is NOT affiliated with
this person, this also go for slowmoe.com which is hosting
web site that contains information about the SPAM / Virus
as well as neonova.net whos DNS server host the domain
sexyfun.net.

   Once again sexyfun.net, slowmoe.com and neonova.net are
NOT affiliated to the SPAM / Virus that contains the email
address of hahahasexyfun.net (This is a spoofed email header).
sexyfun.net, slowmoe.com and neonova.net ARE providing
information about this SPAM / Virus in the from of a web site
found at http://www.sexyfun.net/ to help people that are
running into it.

========= End of form letter =========

-Gary
=====
NeoNova Network Services
Network / System Operations
garyneonova.net

On Tue, 9 Jan 2001, Digital Overdrive wrote:

> Dear abusedesks,
>
> Please contact this person whois abusing your
> Internet services by spamming and sending virii (dwarf4you.exe)
>
> Special note for *healey.com.au :

[snapt a telnetsession]

> (where is abusehealey.com.au ?)
>
> I have included the /complete/ messagesource which means the attachment
> too.
> ** Be carefull !! This is a virus !! **

[I didn't send the whole source]
[just a small part of it]

> =----------=
> Message source
> =----------=
>
> X-POP3-Rcpt: digioverbravo
> Return-path: <>
> Envelope-to: digioverdsinet.org
> Delivery-date: Tue, 09 Jan 2001 09:52:59 +0000
> Received: from [203.25.70.148] (helo=charlton)
> by bravo.whitburn.xcalibre.co.uk with smtp (Exim 3.15 #1)
> id 14FvSS-0000Yh-00
> for digioverdsinet.org; Tue, 09 Jan 2001 09:52:49 +0000
> From: Hahaha <hahahasexyfun.net>
> Subject: Snowhite and the Seven Dwarfs - The REAL story!
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="--VEW5E3KDIRK5I7CPEVO5A745QRWH2RCPMBCL"
> Message-Id: <E14FvSS-0000Yh-00bravo.whitburn.xcalibre.co.uk>
> Bcc:
> Date: Tue, 09 Jan 2001 09:52:49 +0000
> X-Mozilla-Status: 8001
> X-Mozilla-Status2: 00000000
> X-UIDL: cb4dcd83d7b79bbd07a39fe4f0e3cd5a
>
> ----VEW5E3KDIRK5I7CPEVO5A745QRWH2RCPMBCL
> Content-Type: text/plain; charset="us-ascii"
>
> Today, Snowhite was turning 18. The 7 Dwarfs always where very educated
> and
> polite with Snowhite. When they go out work at mornign, they promissed a
> *huge* surprise. Snowhite was anxious. Suddlently, the door open, and
> the Seven
> Dwarfs enter...
>
>
> ----VEW5E3KDIRK5I7CPEVO5A745QRWH2RCPMBCL
> Content-Type: application/octet-stream; name="dwarf4you.exe"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="dwarf4you.exe"

[snapt some attachment-source]

> I hope proper actions agains this person will be taken and please
> keep me posted about it.
>
> More information about this virus :
> http://vil.mcafee.com/dispVirus.asp?virus_k=98873&
>
> Kind regards,
>
> J. Reilink
> digioverdsinet.org / digiovercotse.com

=----------=
        End of message
=----------=

McAfee link for information :
http://vil.mcafee.com/dispVirus.asp?virus_k=98873&

Hope this informs you enough.

Regards,

Jan (Digital Overdrive)

--
 .~.   Dutch Security Information Network : http://www.dsinet.org
 /V\   news:alt.hack.nl FAQ : http://www.dsinet.org/hackfaq
/( )\  digioverdsinet.org / digiovercotse.com
^^-^^                      "Microsoft: We make virii work!"

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]