Anyone trying to infect me?

I just received a mail that was sent from another customer at my ISP. All my personal virus triggers went off by looking at the layout, headers and attachment filename, but my - otherwise very good - virusscanner didn't notice anything out of the ordinary. I've submitted the sample to Sophos for testing and analyzing. Here's the mail - with stripped headers - as I received it.

Return-Path: <[email protected]>
Received: from inav004.isp.belgacom.be (inav004.isp.belgacom.be [195.238.3.237])
by ten.skynet.be (8.12.9/8.12.9/Skynet-MAILSTORE-2.14) with ESMTP id i1GBvUqB003912
for <adress stripped>; Mon, 16 Feb 2004 12:57:30 +0100
(envelope-from <>)
Received: from inas009.isp.belgacom.be (inas009.isp.belgacom.be [195.238.2.7])
by inav004.isp.belgacom.be (8.12.9/8.12.9/Skynet-IN-AV-2.02) with ESMTP id i1GBvFNw009099
for <adress stripped>; Mon, 16 Feb 2004 12:57:25 +0100
(envelope-from <>)
Received: from inmx002.isp.belgacom.be (inmx002.isp.belgacom.be [195.238.3.7])
by inas009.isp.belgacom.be (8.12.9/8.12.9/Skynet-IN-AS-2.03) with ESMTP id i1GBuxAq002937
for <adress stripped>; Mon, 16 Feb 2004 12:57:00 +0100
(envelope-from <>)
Received: from hurricane.skynet.be (hurricane.skynet.be [195.238.2.86])
by inmx002.isp.belgacom.be (8.12.9/8.12.9/Skynet-IN-PRIVATE-2.32) with ESMTP id i1GBuoYp026480
for <adress stripped>; Mon, 16 Feb 2004 12:56:51 +0100
(envelope-from <>)
Received: from THUISPC (187-17.240.81.adsl.skynet.be [81.240.17.187])
by hurricane.skynet.be (8.12.9/8.12.9/Skynet-OUT-2.21) with SMTP id i1GBuhBK026593
for <adress stripped>; Mon, 16 Feb 2004 12:56:43 +0100
(envelope-from <>)
Date: Mon, 16 Feb 2004 12:56:43 +0100
Message-Id: <[email protected]>
To: <adress stripped>
Subject: Is this the Smallest C++ MassMailer???
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_5_2356906.2356547"
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-RAVMilter-Version: 8.4.3(snapshot 20030212) (inav004.isp.belgacom.be)
X-RAVMilter-Version: 8.4.3(snapshot 20030212) (hurricane.skynet.be)
X-UIDL: 70a7d8db0f15950be1cca8ae9d477ab0
Status: U


Content-Type: text/plain;
charset:"iso-8859-1"


SoSmall, SoCold, SoNice, SoGood, SoWarm..


Attachment : Setup.zip
---------------------------------------

Could this be the next installment of the SoBig series? The "SoSmall, SoCold, SoNice, SoGood, SoWarm.." line could be a pointer, who knows? Anyway, what really confuses me is that neither my scanner, nor the RAV solution that my ISP uses has detected anything strange. It passed all these checks without triggering anything - so it's either brand new and so far unknown virus, or a false alert.

Looking at the headers - and I'm not an expert at all - it tells me the thing has mailed itself from a broadband user to me, avoiding the ISP SMTP server to send itself. This leads me to believe that whatever lurks in setup.zip has it's own SMTP engine...

I hope for the latter, but on the other hand, I'd be exited to know I helped stop a new epidemic.

Monthly Archives

Pages

OpenID accepted here Learn more about OpenID
Powered by Movable Type 5.04

About this Entry

This page contains a single entry by ServMe published on February 16, 2004 1:21 PM.

Did MS04-004 break your SSL? was the previous entry in this blog.

Update W32/SoSmall-A is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.