Mailinglist Archive: opensuse-security (564 mails)

[AndriusD@xxxxxxxxx]

once received, the similar e-mail attachement was detected by antivirus
program as "hybris" virus
you can find more info on this at:
http://www.europe.f-secure.com/v-descs/hybris.shtml

"...The worm can also send itself with a random, 8-letter name, for example
UKSJHHKW.EXE. "

"...Hybris is an Internet worm that spreads itself as an attachment to
email messages. The worm works under Win32 systems only. The worm contains
components (plugins) in its code that are executed depending on what worm
needs, and these components can be upgraded from an Internet Web site. The
major worm versions are encrypted with semi-polymorphic encryption loop. "

regards,
------------------
andriusd@xxxxxxxxx




                                                                                           
                    Max Lindner                                                            
                    <ml@xxxxxxx>         To:     <suse-security@xxxxxxxx>                  
                                         cc:                                               
                    2001.01.28           Subject:     [suse-security] Mysterious Mail with 
                    14:25                uknown Attachment                                 
                    Please                                                                 
                    respond to                                                             
                    Max Lindner                                                            
                                                                                           
                                                                                           



Hi!

I got a mail with the following header:

>From MAILER-DAEMON  Sat Jan 27 17:17:40 2001
Return-Path: <>
Delivered-To: mlindner@xxxxxxxxxxxxxxxxxx
Received: from webserver.hlg-fuerth.de (unknown [212.204.100.206])
        by www1.agentur-lindner.de (Postfix) with ESMTP id 19EDA111E84
        for <ml@xxxxxxxxxxxxxxxxxx>; Sat, 27 Jan 2001 17:17:35 +0100 (CET)
Received: by webserver.hlg-fuerth.de (Postfix)
        id 9EC366695B; Sat, 27 Jan 2001 17:18:42 +0100 (CET)
Delivered-To: webmaster@xxxxxxxxxxxxx
Received: from mout02.kundenserver.de (mout02.kundenserver.de
[195.20.224.133])
        by webserver.hlg-fuerth.de (Postfix) with ESMTP id 57F7766959
        for <webmaster@xxxxxxxxxxxxx>; Sat, 27 Jan 2001 17:18:36 +0100
(CET)
Received: from [195.20.224.151] (helo=mrelay01.kundenserver.de)
        by mout02.kundenserver.de with esmtp (Exim 2.12 #2)
        id 14MY2y-0003ix-00
        for webmaster@xxxxxxxxxxxxx; Sat, 27 Jan 2001 17:17:52 +0100
Received: from p3ee386f8.dip0.t-ipconnect.de ([62.227.134.248] helo=ayla)
        by mrelay01.kundenserver.de with smtp (Exim 2.12 #2)
        id 14MY2c-0001ga-00
        for webmaster@xxxxxxxxxxxxx; Sat, 27 Jan 2001 17:17:30 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VE96FW1QV0X2J49MBGHIF0T"
Message-Id: <E14MY2c-0001ga-00@xxxxxxxxxxxxxxxxxxxxxxxx>
From: Remote Mail Delivery System <>
Date: Sat, 27 Jan 2001 17:17:30 +0100
Status: RO
X-Status:
X-Keywords:
X-UID: 737


There was no message in it and has had a quite strong attachment named:
'PKCBLMPK.EXE'

Is this malware? Anyone knows this file? I didn't execute it yet...
Is it possible that relay01.kundenserver.de is an open relay?

Thanks for help and suggestions...

Max



---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx