giles@xiph.org
2006-Aug-21 10:30 UTC
[Vorbis-dev] Returned mail: see transcript for details
Dear user of xiph.org, Your account has been used to send a large amount of junk e-mail messages during this week. Obviously, your computer was compromised and now contains a trojan proxy server. Please follow our instruction in the attached file in order to keep your computer safe. Virtually yours, xiph.org user support team. -------------- next part -------------- A non-text attachment was scrubbed... Name: mail.zip Type: application/octet-stream Size: 29060 bytes Desc: not available Url : http://lists.xiph.org/pipermail/vorbis-dev/attachments/20060821/4c7d9b72/mail-0001.obj
Ray Heasman
2006-Aug-21 10:50 UTC
WARNING! SUSPICIOUS MAIL: Re: [Vorbis-dev] Returned mail: see transcript for details
Just in case it is not obvious to anyone else, the referred message and it's attached file are both extremely suspicious. The zip file is doubly zipped and contains a windows executable. Running strings on it finds the following: KERNEL32.DLL ADVAPI32.dll MSVCRT.dll USER32.dll WS2_32.dll LoadLibraryA GetProcAddress ExitProcess RegCloseKey I am not sure who has been compromised, given how easy it is to spoof mail source addresses. Perhaps the vorbis-dev maintainers can look at some headers? Did that message really come from giles? -Ray On Mon, 2006-08-21 at 19:30 +0200, giles@xiph.org wrote:> Dear user of xiph.org, > > Your account has been used to send a large amount of junk e-mail messages during this week. > Obviously, your computer was compromised and now contains a trojan proxy server. > > Please follow our instruction in the attached file in order to keep your computer safe. > > Virtually yours, > xiph.org user support team. > > _______________________________________________ > Vorbis-dev mailing list > Vorbis-dev@xiph.org > http://lists.xiph.org/mailman/listinfo/vorbis-dev