Yes, this appears to be a version of Hybris. Of course, without actually
seeing it I cannot be certain, but it fits the pattern.

Random 8 Character attachment name with no subject or message body.

Check your favorite AV vendor for "Hybris"

Claymore
the unprofound

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTSSECURITYFOCUS.COM]On
Behalf Of Lee Hetherington
Sent: Wednesday, March 28, 2001 3:31 AM
To: INCIDENTSSECURITYFOCUS.COM
Subject: ICQ Users a target Again!

Hi Guys,

I got an email today when I arrived at work which seemed to originate from
the MAILER-DAEMON account on one of our machines running Sendmail. The
message had no body but had one attatchment. The file LEOKIALE.EXE is 23Kb
in Size and Hasnt been opened...

It was to a personal address of my own which is only used in ICQ...

Message Headers:-

Return-Path: <rootns1.asphost.net>
Received: (from rootlocalhost)
        by XXX.asphost.net (8.11.0/8.8.7) id f2RGNGL32025
        for leeasphost.net; Tue, 27 Mar 2001 17:23:16 +0100
Received: from isis.hol.gr (isis.hol.gr [194.30.192.21])
        by XXX.asphost.net (8.11.0/8.8.7) with SMTP id f2RGLeZ32019
        for <xxxxxxkerfuffle.net>; Tue, 27 Mar 2001 17:21:40 +0100
Date: Tue, 27 Mar 2001 17:21:40 +0100
From: MAILER-DAEMONns1.asphost.net
Message-Id: <200103271621.f2RGLeZ32019ns1.asphost.net>
Received: (qmail 6678 invoked from network); 27 Mar 2001 16:08:03 -0000
Received: from vdp201.ath02.cas.hol.gr (HELO r8f9e9) (195.97.117.202)
  by isis.hol.gr with SMTP; 27 Mar 2001 16:08:03 -0000
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VE27O9EV0H27012FOLUR"
Status:

Anyone else seen this?

Lee

Lee Hetherington
Production Network Engineer
Grey Matter Advanced Marketing Limited

T: +44 1242 237600 DL: +44 1242 246139 F: +44 1242 237633 W:
greymatterltd.com
Suite 4, Fairview Court, Fairview Road. Cheltenham, Gloucestershire GL52 2EX
UK

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]