Re: [suse-security] Mysterious Mail with uknown Attachment

29 Jan 2001

      once received, the similar e-mail attachement was detected by antivirus
program as "hybris" virus
you can find more info on this at:
http://www.europe.f-secure.com/v-descs/hybris.shtml

"...The worm can also send itself with a random, 8-letter name, for example
UKSJHHKW.EXE. "

"...Hybris is an Internet worm that spreads itself as an attachment to
email messages. The worm works under Win32 systems only. The worm contains
components (plugins) in its code that are executed depending on what worm
needs, and these components can be upgraded from an Internet Web site. The
major worm versions are encrypted with semi-polymorphic encryption loop. "

regards,
------------------
andriusd@labas.com

                    Max Lindner                                                            
                             To:                       
                                         cc:                                               
                    2001.01.28           Subject:     [suse-security] Mysterious Mail with 
                    14:25                uknown Attachment                                 
                    Please                                                                 
                    respond to                                                             
                    Max Lindner                                                            

Hi!

I got a mail with the following header:
...
From MAILER-DAEMON  Sat Jan 27 17:17:40 2001
Return-Path: <>
Delivered-To: mlindner@agentur-lindner.de
Received: from webserver.hlg-fuerth.de (unknown [212.204.100.206])
        by www1.agentur-lindner.de (Postfix) with ESMTP id 19EDA111E84
        for ; Sat, 27 Jan 2001 17:17:35 +0100 (CET)
Received: by webserver.hlg-fuerth.de (Postfix)
        id 9EC366695B; Sat, 27 Jan 2001 17:18:42 +0100 (CET)
Delivered-To: webmaster@hlg-fuerth.de
Received: from mout02.kundenserver.de (mout02.kundenserver.de
[195.20.224.133])
        by webserver.hlg-fuerth.de (Postfix) with ESMTP id 57F7766959
        for ; Sat, 27 Jan 2001 17:18:36 +0100
(CET)
Received: from [195.20.224.151] (helo=mrelay01.kundenserver.de)
        by mout02.kundenserver.de with esmtp (Exim 2.12 #2)
        id 14MY2y-0003ix-00
        for webmaster@hlg-fuerth.de; Sat, 27 Jan 2001 17:17:52 +0100
Received: from p3ee386f8.dip0.t-ipconnect.de ([62.227.134.248] helo=ayla)
        by mrelay01.kundenserver.de with smtp (Exim 2.12 #2)
        id 14MY2c-0001ga-00
        for webmaster@hlg-fuerth.de; Sat, 27 Jan 2001 17:17:30 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VE96FW1QV0X2J49MBGHIF0T"
Message-Id: 
From: Remote Mail Delivery System <>
Date: Sat, 27 Jan 2001 17:17:30 +0100
Status: RO
X-Status:
X-Keywords:
X-UID: 737
There was no message in it and has had a quite strong attachment named:
'PKCBLMPK.EXE'

Is this malware? Anyone knows this file? I didn't execute it yet...
Is it possible that relay01.kundenserver.de is an open relay?

Thanks for help and suggestions...

Max

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com
For additional commands, e-mail: suse-security-help@suse.com

Re: [suse-security] Mysterious Mail with uknown Attachment

AndriusD＠labas.com