You visit illegal websites

Mike michael at NOMENNESCIO.NET
Mon Feb 21 11:45:25 GMT 2005


    [ The following text is in the "ISO-8859-15" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

The attachment is now blocked by ClamAV (not yet by McAfee!), since 11:49 CET. Way to go ClamAV! ;-)

It classifies the virus as Worm.Sober.K.

Mike.

>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>Behalf Of Julian Field
>Sent: Monday, February 21, 2005 12:32 PM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: You visit illegal websites
>
>MailScanner being faked by the VXers again. Shows I must be making a
>dent in the market share!
>
>Mike wrote:
>
>>There seems to be a new virus (or is it a hoax?) active. The subject is
>"You visit illegal websites" with a "From: Office at FBI.gov". Here's the text
>of the e-mail:
>>
>>==============================================
>>Dear Sir/Madam,
>>
>>we have logged your IP-address on more than 40 illegal Websites.
>>
>>Important: Please answer our questions!
>>The list of questions are attached.
>>
>>
>>Yours faithfully,
>>M. John Stellford
>>
>>
>>
>>++-++ Federal Bureau of Investigation -FBI-
>>++-++ 935 Pennsylvania Avenue, NW, Room 2130
>>++-++ Washington, DC 20535
>>++-++ (202) 324-3000
>>==============================================
>>
>>It sometimes add a footer like this:
>>
>>==============================================
>>*-* Mail-Scanner: No Virus detected
>>==============================================
>>
>>It can also be an e-mail from Microsoft with the request to install a
>patch or someone from hotmail to thank you for some registration.
>>
>>They all have some sort of attachment (approx. 51KB), a zip file. In the
>case of the FBI mail, it was "indictment_cit2515.zip".
>>
>>The zip file contains a .pif file (double extension, ".txt
>.pif" (lots of spaces between .txt and .pif). If MailScanner is configured
>to scan within zip files, you just be save (I guess).
>>
>>The file however is an executable (Has "MZ" as the first bytes in the
>file). I'm not sure what it does, I haven't opened it on a Windows box, I'm
>just too afraid...
>>
>>Has anyone else seen this??? I cannot find any information about this on
>the Internet and none of the major Anti-Virus companies have information on
>it.
>>
>>Regards,
>>Mike.
>>
>>------------------------ MailScanner list ------------------------
>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>Support MailScanner development - buy the book off the website!
>>
>>
>>
>
>--
>Julian Field
>www.MailScanner.info
>Buy the MailScanner book at www.MailScanner.info/store
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list