[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: virus Re: Questionnaire

From: D. Stimits
Subject: Re: virus Re: Questionnaire
Date: Tue, 20 May 2003 01:00:28 -0600
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2b) Gecko/20021018

Michael Talbot-Wilson wrote:

Ye 2003-05-19 19:05 -0600, D. Stimits skribis:

>Thomas E. Dickey wrote:
>>On Mon, 19 May 2003, D. Stimits wrote:
>>>The "questionnaire" is really a windows virus.
>>I didn't approve any mailing-list stuff today (there were perhaps 20-30

>realistic). I've deleted the virus email, so I can't look closer, but it

If it is of interest, here is part of the headers (apologies to those
who still have it or don't care).

Received: from list by monty-python.gnu.org with tmda-scanned (Exim 4.10.13)
        id 19HsCD-0004ex-00
        for address@hidden; Mon, 19 May 2003 17:29:25 -0400
Received: from mail by monty-python.gnu.org with spam-scanned (Exim 4.10.13)
        id 19Hs1p-0001py-00
        for address@hidden; Mon, 19 May 2003 17:18:44 -0400
Received: from sc005pub.verizon.net ([])
        by monty-python.gnu.org with esmtp (Exim 4.10.13)
        id 19HqSB-0006aw-00
        for address@hidden; Mon, 19 May 2003 15:37:47 -0400
Received: from [] (port=16421 helo=Jovyx)

This address appears to be the origination point, which resolves to freebit.ne.jp, but the reply to shows it as sent by just "dickey". However, the real Thomas Dickey sends from herndon4.his.com...making this a forged header. All this means is that someone with a windows machine in Japan has an address book listing "dickey" and not "Thomas Dickey". Anyone know a subscriber with a freebit.ne.jp address (this person has a virus)?

D. Stimits, stimits AT attbi DOT com

        by sc005pub.verizon.net with smtp (Exim 4.14)
        id 19HqS0-000165-Fk
        for address@hidden; Mon, 19 May 2003 14:37:36 -0500
From: dickey

The MIME of the attachment looks like this:

>Content-Type: audio/x-wav;
>        name=type to.exe
>Content-Transfer-Encoding: base64

The attachment contains the strings, "This program cannot be run in
DOS mode", "Microsoft Visual C++ Runtime Library", "HELO %s", "MAIL
FROM:", "RCPT TO:", "DATA", and "This program must be run under

reply via email to

[Prev in Thread] Current Thread [Next in Thread]