Annexe - Sécurité

Exemple d'arnaque du type "fraude 4-1-9" (aussi appelée scam 419, ou arnaque nigériane) via autoscout.be , en annexe-scam

Spam's : en annexe-spam

Quelques exemples de virus détectés par NOD32 (et/ou NAV) dans des email's ou des pages Internet

& avatars de messagerie - juillet-décembre 2006

1/ Win32/Surila.X cheval de Troie & Win32/VB.NEI worm - From AFRICNIC, IP 212.96.25.236, en annexe 1

2/ Win32/Bagle.gen.zip worm - From WANADOO France Telecom (Bayonne), en annexe 2

3a/ Win32/Mydoom.R worm - en annexe 3 (start : 21 septembre 2006 - end : 31 janvier 2007)

3d/ NewHeur_PE vírus transmis par un de nos Clients, pour analyse et conseils.

Les liens de ce message :

http://www.sailingworld.nl/media/news/http_www.humortadela.com.br/foto09_euevc.jpg%20%20%7c%20%20(%20Tipo%20-%20Imagem%20JPEG%20)%20.sCR

&

- humortadela.uol.com.br (200.221.9.18) - Universo Online S.A. - São Paulo - COMITE GESTOR DA INTERNET NO BRASIL

- www.sailingworld.nl (212.204.199.193) - Diverse-IT - Nico De boer - Linschotensingel 1da - 3525 XA - Utrecht - NL
 

File marked as "NewHeur_PE vírus" was detected using broad heuristics because it contains parts of code typical of worm infiltrations spread over the internet. Using this method NOD32 was able to identify worms Win32/Zafi.B, Win32/Mydoom.R, Win32/Bagle.X and many others.

4a/ Divers : page piègée sur Internet

Le message de l'antivirus : (19/07/2006 - page ayant amené l'alerte : non identifiée)

Le site infectant : http://85.255.118.42/data/arr3.jar

Real-time blacklists :
dnsbl.sorbs.net Spam source - http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=85.255.118.42
sbl.spamhaus.org http://www.abuse.net/sbl.phtml?IP=85.255.118.42
 

Note : en cherchant une référence de cette IP par Google, Norton Antivirus donne une alerte :

Threat Found! - Bloodhound.Exploit.6 - File: ...\Temporary Internet Files\Content.IE5\29YB67KX\search[1].htm
Date found: vendredi 21 juillet 2006 9:57:11

Reprenant un "Logfile of HijackThis v1.99.1" sur un forum :

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file:// C:\\ foo.mht! http://85.255.118.42/data/on.chm::/on.exe

...

4b/ Divers : page piègée sur Internet

Le message de l'antivirus : (14/11/2006 - page ayant amené l'alerte : non identifiée) - JS/TrojanDownloader.Agent.BI trojan

85.255.117.174-xbox.dedi.inhoster.com (85.255.117.174) - OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine

Google : Trojan-Downloader.JS.Inor.a

5/ Divers : virus "isolés"

- Win32/Surila.X trojan (Américain, Colorado)

- Variant of Win32/TrojanDownloader.Small.NIH + JS/TrojanDownloader.Tivso.gen (Chinois, Province de Sichuan)

- Win32/Mydoom.R worm (Français, Clermont-Ferrand)

008-2006G10 : Win32/Surila.X cheval de Troie dans un fichier compressé (zip)

Received: from mpls-qmqp-02.inet.qwest.net (unverified [63.231.195.113]) by mail1.e-zone.net (Rockliffe SMTPRA 6.1.22) with ESMTP id <B0009599204@web7.e-zone.net> for <vinosoft@acwebsa.com>; Mon, 10 Jul 2006 19:53:16 +0200
Received: from mpls-pop-02.inet.qwest.net (mpls-pop-02.inet.qwest.net [63.231.195.2]) by mpls-qmqp-02.inet.qwest.net (Postfix) with QMQP id 48D41461449
for <vinosoft@acwebsa.com>; Mon, 10 Jul 2006 17:53:14 +0000 (UTC)
Received: from 71-213-189-44.albq.qwest.net (HELO NEWDELL) (71.213.189.44) by mpls-pop-02.inet.qwest.net with SMTP; 10 Jul 2006 17:52:38 -0000
Received: from [191.132.81.53] (HELO ddxk) by NEWDELL with Microsoft SMTPSVC(5.0.2195.6713); Mon, 10 Jul 2006 11:52:19 -0600
Date: Mon, 10 Jul 2006 11:32:19 -0600
Message-ID: <0c749e9511fa$417cb326$bb429e57@wqyemwvl>
From: "Postmaster" <noreply@acwebsa.com>
To: vinosoft@acwebsa.com
Subject: [virus Win32/Surila.X trojan] status
X-NOD32Result: Infected, Win32/Surila.X trojan
Warning: NOD32 antivirus system found the following in the message: joke.zip - Win32/Surila.X trojan - renamed to joke.vzip

010-2006G11C : a variant of Win32/TrojanDownloader.Small.NIH trojan dans un fichier compressé (zip)

Return-path: <core@movemail.com>
Received: from 212.35.125.162 (unverified [222.214.182.76]) by mail1.e-zone.net (Rockliffe SMTPRA 6.1.22) with SMTP id <B0009671025@web7.e-zone.net> for <vinosoft@vinosoft.com>; Tue, 11 Jul 2006 18:01:36 +0200
Date: Tue, 11 Jul 2006 13:57:24 -0300
From: "Dave Gollick" <merchant@uk.worldpay.com>
Message-Id: <04882000.78463495@inflame>
To: vinosoft@vinosoft.com
Subject: [virus a variant of Win32/TrojanDownloader.Small.NIH trojan] [ORDER ID 0220712] WorldPay Chargeback
Hello - My name is Dave and I am from the Support of WorldPay. We have received the payment order (ID 0220712,Receipt Date 09/07/2006) from you and we need to make a verification of the details you have filled in, as we have received a notice from your card service stating that there was a chargeback made by the owner of the card with which you have made the payment and that your level of authorization has been altered during your last transaction. This is a very serious matter. We have deducted the amount of the chargeback, GBP 149.89, from your account and added our standard fee of GBP 24.00 as well (you can see your payment details in the attachment). We have failed to contact you using the telephone number you have provided earlier, meeting no response. As a precaution, we have limited access to your account in order to protect against future unauthorized transactions.Please understand that this is a security measure intended to help protect you and your personal information. Please contact your credit card company to resolve this matter. Best Regards, Dave Gollick - shopper@uk.worldpay.com
Warning: NOD32 antivirus system found the following in the message:
ID 0220712.zip - a variant of Win32/TrojanDownloader.Small.NIH trojan - renamed to ID 0220712.vzip
ID 0220712.zip > ZIP > ID 0220712.exe - a variant of Win32/TrojanDownloader.Small.NIH trojan

Virus : http://vil.nai.com/vil/content/v_138968.htm

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc. - This downloader trojan is likely to be received as an attachment in a spammed out email message, masquerading as something to do with an account transfer. When run, it downloads and executes a remote file.

020-2006G18C : Win32/Mydoom.R worm dans un fichier compressé (zip)

Return-path: <noreply@acwebsa.com>
Received: from acwebsa.com (unverified [83.113.200.123]) by mail1.e-zone.net (Rockliffe SMTPRA 6.1.22) with ESMTP id <B0010205299@web7.e-zone.net> for <vinosoft@acwebsa.com>; Tue, 18 Jul 2006 22:20:02 +0200
Message-ID: <B0010205299@web7.e-zone.net>
From: "Post Office" <noreply@acwebsa.com>
To: vinosoft@acwebsa.com
Subject: [virus Win32/Mydoom.R worm] Returned mail: Data format error
Date: Tue, 18 Jul 2006 22:19:57 +0200
Dear user of acwebsa.com,
Your account has been used to send a large amount of junk email during this week.
Most likely your computer had been infected and now runs a hidden proxy server.
Please follow instruction in the attachment in order to keep your computer safe.
Have a nice day,
The acwebsa.com support team.
Warning: NOD32 antivirus system found the following in the message: acwebsa.com.zip - Win32/Mydoom.R worm - renamed to acwebsa.com.vzip

AClermont-Ferrand-251-1-9-123.w83-113.abo.wanadoo.fr (83.113.200.123)

Le virus :

- http://www.eset.com/threat-center/pedia/cervy/mydoomr.htm

Win32/Mydoom.R is an e-mail worm for Microsoft Windows systems. Its file is approximately 28 kilobytes long, compressed by UPX. After decompression, its size is about 40kB. Upon execution the form copies itself in the %windir% using the name java.exe. It also saves a file called services.exe there. This file is a backdoor component, that operates on TCP port 1034.

- correspondance NAV : W32.Mydoom.R@mm :

http://206.204.52.54/region/fr/techsupp/avcenter/venc/data/pf/fr-w32.mytob.r@mm.html

W32.Mytob.R@mm est un ver d'envoi en masse de courrier électronique avec des fonctionnalités de porte dérobée qui utilise son propre moteur SMTP pour envoyer un courrier électronique aux adresses qu'il recueille à partir de l'ordinateur compromis. Le virus se propage également sur le réseau en exploitant la vulnérabilité de saturation de la mémoire tampon dans le service Local Security Authority de Microsoft Windows (décrite dans le bulletin de sécurité de Microsoft MS04-011) et la saturation de la mémoire tampon dans l'interface d'appel de procédure distante (RPC) du modèle DCOM Windows (décrite dans le bulletin de sécurité de Microsoft MS03-026).

023-2006G19C : Win32/Mydoom.R worm dans un fichier compressé (zip)

Return-path: <escoz@ieg.com.br>
Received: from ieg.com.br (unverified [83.113.201.51]) by mail1.e-zone.net (Rockliffe SMTPRA 6.1.22) with ESMTP id <B0010297172@web7.e-zone.net> for <vinosoft@acwebsa.com>; Wed, 19 Jul 2006 22:10:10 +0200
Message-ID: <B0010297172@web7.e-zone.net>
From: escoz@ieg.com.br
To: vinosoft@acwebsa.com
Subject: [virus Win32/Mydoom.R worm] Delivery reports about your e-mail
Date: Wed, 19 Jul 2006 22:09:58 +0200
... Dear user of acwebsa.com,
We have detected that your account has been used to send a large amount of junk email messages during this week.
Most likely your computer was infected and now runs a trojan proxy server.
Please follow instruction in order to keep your computer safe.
Sincerely yours,
acwebsa.com user support team.
Warning: NOD32 antivirus system found the following in the message:
vinosoft@acwebsa.com.zip - Win32/Mydoom.R worm - renamed to vinosoft@acwebsa.com.vzip

AClermont-Ferrand-251-1-10-51.w83-113.abo.wanadoo.fr (83.113.201.51)

2006G30 : Win32/Surila.X cheval de Troie dans un fichier compressé (zip)

Return-path: <MAILER-DAEMON@vinosoft.com>
Received: from home-c1z3oetmid (unverified [82.43.246.228]) by mail1.e-zone.net (Rockliffe SMTPRA 6.1.22) with ESMTP id <B0011101181@web7.e-zone.net> for <vinosoft@vinosoft.com>; Sun, 30 Jul 2006 23:50:12 +0200
Received: from [40.192.204.197] (port=7932 helo=rjhwdlz) by home-c1z3oetmid with SMTP for vinosoft@vinosoft.com ; Sun, 30 Jul 2006 22:49:34 +0100
Message-ID: <097fd92ca6fb$417ded34$b7f0510d@rqihw>
From: "Returned mail" <MAILER-DAEMON@vinosoft.com>
To: <vinosoft@vinosoft.com>
Subject: [virus Win32/Surila.X trojan] [virus Win32/Surila.X trojan] delivery
Date: Sun, 30 Jul 2006 22:38:34 +0100
Old-X-NOD32Result: Infected, Win32/Surila.X trojan
X-NOD32Result: Infected, Win32/Surila.X trojan
Please read the attached document and follow it's instructions.
Warning: NOD32 antivirus system found the following in the message: document/_full.zip - Win32/Surila.X trojan - renamed to document/_full.vzip

40.192.204.197 - Eli Lilly and Company - Lilly Corporate Center - Indianapolis, IN - USA

Lilly actualités : 28 Juin 2006 : ... emplois perdus chez Eli Lilly à Mont-Saint-Guibert / Eli Lilly ferme à Mont-Saint-Guibert

La direction de la société pharmaceutique Eli Lilly a annoncé, lors d'un conseil d'entreprise extraordinaire organisé sur son site de Mont-Saint-Guibert (Brabant wallon), sont intention de fermer le site de recherche et développement de Mont-Saint-Guibert, qui emploie 330 personnes.

2006H07 : virus HTML/Phishing.gen trojan dans un fichier htm

Return-path: <arbd@0-0.com>
Received: from mail.0451.com (unverified [85.103.114.39]) by 162.128-26.125.35.212.in-addr.arpa (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0000547618@162.128-26.125.35.212.in-addr.arpa> for <une_de_nos_adresses@emailonline.info>;
Mon, 7 Aug 2006 14:19:36 +0200
Message-ID: <B0000547618@162.128-26.125.35.212.in-addr.arpa>
From: "FIFTH THIRD bank, 2006" <customercare_170689.cust@53.com>

To: <une_de_nos_adresses@emailonline.info>
Subject: [virus HTML/Phishing.gen trojan] Fifth Third Bank: Urgent Security Notification
Date: Mon, 7 Aug 2006 12:13:50 -0120
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_006A_01C6BA34.163314F0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1441
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-NOD32Result: Infected, HTML/Phishing.gen trojan
seem lull, monk hymn lull, give lay flat yulewail plat jab seep mere=20
purlgig bag Gaul pugdram feel fleeguy yode obus gild piny becausedon't=20
madbalm sitpumpGoth hostdun spaMr coal good most funk cape dell aunt=20
artchin XX reft gigsityak hoar ting noon lean gongholdgape by- yeavac=20
rockfussysell archfain heft plusnix cove pimp jar anusgram suet wile=20
flam pomp nap ma arch topwelt or cork null himlash area jilt tak rope=20
bush fast moot oglesee sled afar watchit dago pegtwin meal drab if shod=20
rock veal hadach airvan cove sake snub pax mall axis envy josh curexray=20
ajog, fry jok fen, sway tike pave willcatch gym veto art ell antcleg=20
foil snafu didbike wag odehulk wash meed go cabbag wadyJack shebeef=20
hellbashhog slewalum meetlife butt crack bow gamy aah bit bare smallrub=20
Jute gib pentailclub rock dibs nail chip mudsuitcab vanity highhump=20
beckmagemail barwake ran peltundo foci slob are kineropy vacuum ante sap=20
torn fro mag gull gaudjinn kip doff aloe dickbutt Jute tool tank kicky=20
bee pod cask duneconkout carp era cad heat slugcity !! dyke rill vat=20
gaff jet gel lodemine into uva nip moor burr ague toy hawk portmopy=20
dupe, cast boo soak, mien home rye wrentyre sod gray teem bat quagless=20
wax burr tigwind bark winduppick halo peso mate hoy supcart aidepram=20
dazemakepact didoup parmean care why lag lack mar ago peon bidelse pick=20
tire dunepictake York cab mell life tatbusttote shed thanthud=20
tonymealamid earnbur amie kentdrink orgy craw lop kerntop nee gyp iron=20
gray came chow par pitrack mood pane that lastpelt chew hull sol sail=20
rake sum loan fusegulf curd gasp fame now tyrepang dopout lab nog raid=20
re wax bull turngutsy re- home mash God carp boat bin beg data
Warning: NOD32 antivirus system found the following in the message: part001.htm - HTML/Phishing.gen trojan

Lien référencé : http://www.53.com.wps.portal.secure.xyz00.st/context/

Expéditeur du Phishing Trojan : 85.103.114.39 - Turk Telekom ADSL-alcatel dynamic
TT Administrative Contact Role - Turk Telekom - Bilisim Aglari Dairesi - Aydinlikevler - 06103 ANKARA - abuse@ttnet.net.tr

Phishing Site : www.53.com.wps.portal.secure.xyz00.st (200.86.130.63) - Name: pc-63-130-86-200.cm.vtr.net
VTR BANDA ANCHA S.A. - Reyes Lavalle, 3340, 4th floor - 6760335 - Santiago - Chile - Italo Sambuceti Oyarzún - isambuce@VTR.CL

virus HTML/Phishing.gen trojan : autres exemples arrêtés par Nod32 et/ou Spamihilator (août 2006)

23/08/2006

23/08/2006 - 24/08/2006

28/08/2006

2006H09 : Win32/Surila.X cheval de Troie dans un fichier compressé (zip)

Return-path: <NealO@core.com>
Received: from lmusngi.ncca.gov.ph (unverified [222.126.1.242]) by 162.128-26.125.35.212.in-addr.arpa (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0000760627@162.128-26.125.35.212.in-addr.arpa> for <vinosoft@vinosoft.com>; Wed, 9 Aug 2006 09:28:42 +0200
Received: from [229.52.253.216] (HELO jadums) by lmusngi.ncca.gov.ph with Microsoft SMTPSVC(5.0.2195.6713);
Wed, 9 Aug 2006 15:24:52 +0800
Message-ID: <00497feff4bf$418182b4$9b47eb29@acehkc>
From: "Tomas Snyder" <NealO@core.com>
To: <vinosoft@vinosoft.com>
Subject: [virus Win32/Surila.X trojan] Hi!
Date: Wed, 9 Aug 2006 15:03:52 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0D5C_4766F26A.04A5AF0E"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-NOD32Result: Infected, Win32/Surila.X trojan
Look it through
Warning: NOD32 antivirus system found the following in the message: price2005.zip - Win32/Surila.X trojan - renamed to price2005.vzip

adsl-126.1.242.info.com.ph (222.126.1.242) - National Commission for Culture and Arts
GF NCCA Bldg Gen A Luna St Intramuros - MANILA - Fina Yonson - rbdavid@pldt.com.ph

2006I07a : Nod32 : virus Win32/Lovgate.Z worm dans des fichiers compressés (zip) ou des .scr

08:06 - Return-path: <sales@nero.com>
Received: from nero.com (unverified [85.101.230.101]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0004837512@mail.register.be> for <vinosoft@vinosoft.com>; Thu, 7 Sep 2006 08:06:33 +0200
Message-ID: <B0004837512@mail.register.be>
From: sales@nero.com
To: vinosoft@vinosoft.com
Subject: [virus Win32/Lovgate.Z worm] test
Date: Thu, 7 Sep 2006 09:06:08 +0300
X-NOD32Result: Infected, Win32/Lovgate.Z worm
Mail failed. For further assistance, please contact!
Warning: NOD32 antivirus system found the following in the message: text.zip - Win32/Lovgate.Z worm
Content-Type: application/octet-stream; name="text.zip"
 

10:54 - Return-path: <winrar@orazytio.com>
Received: from orazytio.com (unverified [85.101.230.101]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0004871524@mail.register.be> for <vinosoft@vinosoft.com>; Thu, 7 Sep 2006 10:54:53 +0200
Message-ID: <B0004871524@mail.register.be>
From: winrar@orazytio.com
To: vinosoft@vinosoft.com
Subject: [virus Win32/Lovgate.Z worm] test

11:12 - Return-path: <poiulkjh@www.legaction.com>
Received: from www.legaction.com (unverified [85.101.230.101]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0004876336@mail.register.be> for <sam@vinosoft.com>; Thu, 7 Sep 2006 11:12:33 +0200
Message-ID: <B0004876336@mail.register.be>
From: poiulkjh@www.legaction.com
To: sam@vinosoft.com
Subject: [virus Win32/Lovgate.Z worm] TEST
 

11:22 - Return-path: <beans@members.collegefucktour.com>
Received: from members.collegefucktour.com (unverified [85.101.230.101]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0004878443@mail.register.be> for <brent@vinosoft.com>; Thu, 7 Sep 2006 11:22:14 +0200
Message-ID: <B0004878443@mail.register.be>
From: beans@members.collegefucktour.com
To: brent@vinosoft.com
Subject: [virus Win32/Lovgate.Z worm] Test
 

11:41 - Return-path: <webtrance@cox.net>
Received: from cox.net (unverified [85.101.230.101]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0004882492@mail.register.be> for <linda@vinosoft.com>; Thu, 7 Sep 2006 11:41:14 +0200
Message-ID: <B0004882492@mail.register.be>
From: webtrance@cox.net
To: linda@vinosoft.com
Subject: [virus Win32/Lovgate.Z worm] Server Report
Date: Thu, 7 Sep 2006 12:41:00 +0300
 

Ces 5 virus proviennent de la même IP turque :

http://cbl.abuseat.org/lookup.cgi?ip=85.101.230.101 : IP Address 85.101.230.101 was found in the CBL. - It was detected at 2006-09-06 15:00 GMT

La bestiole "Win32/Lovgate.Z" : http://www.viruslist.com/fr/viruses/encyclopedia?virusid=48907

2006I07b : Nod32 : virus turc Win32/Lovgate.Z worm dans des fichiers compressés (zip) ou des .scr : la suite

12:59 - Return-path: <golden@members.thugsandjuggs.com>
Received: from members.thugsandjuggs.com (unverified [85.101.230.101]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0004901233@mail.register.be> for <debby@vinosoft.com>; Thu, 7 Sep 2006 12:59:50 +0200
Message-ID: <B0004901233@mail.register.be>
From: golden@members.thugsandjuggs.com
To: debby@vinosoft.com
Subject: [virus Win32/Lovgate.Z worm] hello
 

13:52 - Return-path: <sandra@www.spreaditwide.com>
Received: from www.spreaditwide.com (unverified [85.101.230.101]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0004914864@mail.register.be> for <peter@vinosoft.com>; Thu, 7 Sep 2006 13:52:41 +0200
Message-ID: <B0004914864@mail.register.be>
From: sandra@www.spreaditwide.com
To: peter@vinosoft.com
Subject: [virus Win32/Lovgate.Z worm] test
 

14:33 - Return-path: <indabag@members.collegefucktour.com>
X-Spam-Score: 0
Received: from members.collegefucktour.com (unverified [85.101.230.101]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0004926324@mail.register.be> for <kevin@vinosoft.com>; Thu, 7 Sep 2006 14:33:02 +0200
Message-ID: <B0004926324@mail.register.be>
From: indabag@members.collegefucktour.com
To: kevin@vinosoft.com
Subject: [virus Win32/Lovgate.Z worm] Hi

Message vérolé sur YAHOO Messenger

De : Manuel COELHO <mcoelho@dclux.com>
À : "notre_adresse"@yahoo.fr
Envoyé le : Mercredi, 14 Juin 2006, 7h01mn 35s
Objet : Secure Message from Yahoo.com user.
Warning: NOD32 antivirus system found the following in the message:
data.zip - JS/TrojanDownloader.Tivso.gen trojan - renamed to data.vzip
data.zip > ZIP > Secure E-mail File.hta - JS/TrojanDownloader.Tivso.gen trojan - is a part of the renamed object

Le virus : http://www.sophos.fr/security/analyses/w32feebsaa.html

6/ Divers : avatars de messagerie

2006G11B : avatar

Notification d'un Postmaster Canadien (MAILER-DAEMON) comme quoi un message que nous aurions envoyé n'a pas pu être distribué.

Notre soit-disant message a réellement été expédié par un Ricain, en usurpant notre adresse, à destination de vinodv@oanet.com (une adresse invalide); le sujet du message est en rapport avec la pornographie; il fait référence à http://luvratsan.info qui est une URL invalide : Unable to resolve hostname luvratsan.info to IP address (SmartWhois) - Domaine inaccessible mais cependant connu de Google en rubrique SPAM.

La notification :

Return-Path: <> - Received: from moe.oanet.com (moe.oanet.com [204.209.13.53]) by inmx004.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k6BF60js011508 for <vinosoft@skynet.be>; Tue, 11 Jul 2006 17:06:00 +0200 (envelope-from <>)
Received: from localhost (localhost) by moe.oanet.com (8.11.5/8.11.3) id k6BF1Ww27819; Tue, 11 Jul 2006 09:01:32 -0600 (MDT) (envelope-from MAILER-DAEMON) - Date: Tue, 11 Jul 2006 09:01:32 -0600 (MDT)
From: Mail Delivery Subsystem <MAILER-DAEMON@moe.oanet.com>
Message-Id: <200607111501.k6BF1Ww27819@moe.oanet.com>
To: <vinosoft@skynet.be>
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
X-UIDL: 000000000019d788.00006f40
X-MSP-STORE: Tue, 11 Jul 2006 17:06:08 +0200
Status: RO - The original message was received at Tue, 11 Jul 2006 09:01:20 -0600 (MDT) from 201-15-77-184.bsace704.dsl.brasiltelecom.net.br [201.15.77.184] (may be forged) ----- The following addresses had permanent fatal errors ----- <vinodv@oanet.com> (reason: 550 5.1.1 <vinodv@oanet.com>... User unknown) ----- Transcript of session follows ----- .... while talking to mars.oanet.com.: >>> RCPT To:<vinodv@oanet.com> <<< 550 5.1.1 <vinodv@oanet.com>... User unknown - 550 5.1.1 <vinodv@oanet.com>... User unknown
Reporting-MTA: dns; moe.oanet.com
Received-From-MTA: DNS; 201-15-77-184.bsace704.dsl.brasiltelecom.net.br - Arrival-Date: Tue, 11 Jul 2006 09:01:20 -0600 (MDT)
Final-Recipient: RFC822; vinodv@oanet.com
Action: failed - Status: 5.1.1 - Remote-MTA: DNS; mars.oanet.com
Diagnostic-Code: SMTP; 550 5.1.1 <vinodv@oanet.com>... User unknown - Last-Attempt-Date: Tue, 11 Jul 2006 09:01:32 -0600 (MDT)

oanet.com redirige sur www.mdci.ca (139.142.239.32) : Group Telecom, A Bell Canada Division

Notre soit-disant message :
Return-Path: <vinosoft@skynet.be>
Received: from moe.oanet.com (201-15-77-184.bsace704.dsl.brasiltelecom.net.br [201.15.77.184] (may be forged)) by moe.oanet.com (8.11.5/8.11.3) with SMTP id k6BF1Kw27749 for <vinodv@oanet.com>; Tue, 11 Jul 2006 09:01:20 -0600 (MDT) (envelope-from vinosoft@skynet.be)
Received: from in.mx.skynet.be by 201-15-77-184.bsace704.dsl.brasiltelecom.net.br (Exim 4.05) with ESMTP id AWmtyLr2TfnsG for <vinodv@oanet.com>; Tue, 11 Jul 2006 15:05:06 -0300
Received: from [149.56.172.108] by in.mx.skynet.be with ESMTP (8.12.3 da nor stuldap/8.12.3) id BR2CnpibcPxyS for <vinodv@oanet.com>; Tue, 11 Jul 2006 14:58:43 -0300
Reply-to: "vinosoft@skynet.be" <vinosoft@skynet.be>
From: "vinosoft@skynet.be" <vinosoft@skynet.be>
Date: Tue, 11 Jul 2006 14:51:49 -0300
Message-ID: gaKPGBqKolwDN.DnEGu7A8MC1bE@skynet.be
To: vinodv@oanet.com
<!--TEXT--> <A href="http://luvratsan.info/pg/007/">http://luvratsan.info/pg/007/</A><BR> @lexa May gets fucked t0

2006G17A : avatar très similaire à 2006G11B (ci-dessus)

Notification d'un Postmaster Canadien (MAILER-DAEMON, Edmonton) comme quoi un message que nous aurions envoyé n'a pas pu être distribué.

Notre soit-disant message a réellement été expédié par un Bulgare, en usurpant notre adresse, à destination de vinodv@oanet.com (une adresse invalide); le sujet du message est en rapport avec la pornographie; il fait référence à http://kvasilka.info  qui est une URL invalide : Unable to resolve hostname kvasilka.info to IP address (SmartWhois), bien que Google le référence en catégorie SPAM.

La notification - From: Mail Delivery Subsystem <MAILER-DAEMON@smtp2.moderndigital.net> - 204.209.13.27

Notre soit-disant message - Received: from smtp2.moderndigital.net (chirpan.pld.easy-lan.net [85.130.119.35])

2006G12C : avatar (usurpation d'adresse)

Notification du Postmaster Hotmail comme quoi un message que nous aurions envoyé n'a pas pu être distribué.

Notre soit-disant message a réellement été expédié par un Ricain, en attribuant "notre_adresse@hotmail.com" à l'expéditeur "Liza Stringer", à destination de "notre_adresse@hotmail.com" avec copie à 11 adresses "vino_quelquechose@hotmail.com" ; ce message est de la publicité pour de faux diplômes.

Notre soit-disant message :

Received: from 49D7B8A0 ([68.186.243.153]) by bay0-mc10-f9.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Wed, 12 Jul 2006 16:26:26 -0700
Received: from 68.186.243.153 (EHLO c19.groups.msn.com) (68.186.243.153) by 68.186.243.153 with SMTP; Wed, 12 Jul 2006 16:29:07 -0800
Received: from mail pickup service by c10.groups.msn.com with Microsoft SMTPSVC; Message-ID: <345o587k.5141529@yahoo.com>
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=rowland.jimenez; d=yahoo.com;
b=fCEbD6njcwaGZx9IQHlNvAuySzkIFtBaIPw83A7CYS7fRzyjIzSJIEuJ2ULoljOwwi198xeGrbw6hYwIIyxWhpY0;
Date: Wed, 12 Jul 2006 16:29:07 -0800
From: "Liza Stringer" <vinosoft@hotmail.com>
To: vinosoft@hotmail.com
Cc: vinot1@hotmail.com, vinoth15@hotmail.com, vinoth16@hotmail.com, vinoth25683@hotmail.com, vinothst@hotmail.com, vinotinto69@hotmail.com, vinotinto9@hotmail.com, vinoul@hotmail.com, vinoverities@hotmail.com, vinovi@hotmail.com, vinovin@hotmail.com
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: stop the stress, get a degree, make more money
Content-return: allowed
X-Mailer: devMail.Net (3.2.2205.9936-2)
X-Authentication-Warning: localhost.localdomain: apache set sender to vinosoft@hotmail.com using -f
X-Virus-Scanned: amavisd-new at yahoo.com
X-Rocket-Track: -50 ; IPCR=w-w100,n0,g0
Return-Path: vinosoft@hotmail.com
X-OriginalArrivalTime: 12 Jul 2006 23:26:29.0216 (UTC) FILETIME=[9A1DB600:01C6A60A]

X-Mailer: devMail.Net : devMail.Net is the most powerful email component for .NET developers.

2006i29 : avatars (plusieurs du même type, le même jour)

Notification du Postmaster [MAILER-DAEMON@securmail.net] comme quoi un message que nous aurions envoyé n'a pas pu être distribué pour adresse de l'expéditeur invalide

Qui est bien le Postmaster de :

Notre soit-disant message a réellement été expédié par un Turc, sous le pseudonyme "Edith Hopkins" en inventant une adresse inexistante sur notre domaine (opiu@vinosoft.be), à destination de chavez@provence-campings.com (une adresse invalide dans un domaine bien réel); le contenu du message est un spam "classique" de type "market news, arnaques" :

Return-Path: <opiu@vinosoft.be> - Received: from dsl.dynamic859665253.ttnet.net.tr (dsl.dynamic859665253.ttnet.net.tr [85.96.65.253] (may be forged)) by securmail.net (8.12.10/8.12.10/SuSE Linux 0.7) with SMTP id k8THpK6N014990 for <chavez@provence-campings.com>; Fri, 29 Sep 2006 19:51:20 +0200
Received: from [85.96.138.69] (helo=kqiygw) by dsl.dynamic859665253.ttnet.net.tr with smtp (Exim 4.43) id 1GTMWd-0006bm-0F; Fri, 29 Sep 2006 20:51:51 +0300 - Message-ID: <002101c6e3ef$de05f8d7$458a6055@kqiygw>
From: "Edith Hopkins" <opiu@vinosoft.be>
To: <chavez@provence-campings.com>
Subject: close
Date: Fri, 29 Sep 2006 20:48:37 +0300

2006i30 : avatar identique au précédent  - 2006i29 - (plusieurs du même type, les jours suivants)

Exemple :

Notification du Postmaster d'IBM [MAILER-DAEMON@westrelay02.boulder.ibm.com] comme quoi un message que nous aurions envoyé n'a pas pu être distribué pour adresse de l'expéditeur invalide; note : l'adresse xyniku@vinosoft.com n'existe pas.

Received: from e31.co.us.ibm.com (unverified [32.97.110.149]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0009407369@mail.register.be> for <xyniku@vinosoft.com>; Sat, 30 Sep 2006 17:52:40 +0200
Received: from westrelay02.boulder.ibm.com (westrelay02.boulder.ibm.com [9.17.195.11]) by e31.co.us.ibm.com (8.13.8/8.12.11) with ESMTP id k8UFqNxT010207 for <xyniku@vinosoft.com>; Sat, 30 Sep 2006 11:52:23 -0400
Received: from d03av04.boulder.ibm.com (d03av04.boulder.ibm.com [9.17.195.170]) by westrelay02.boulder.ibm.com (8.13.6/8.13.6/NCO v8.1.1) with ESMTP id k8UFpK8w342298 for <xyniku@vinosoft.com>; Sat, 30 Sep 2006 09:51:20 -0600
Received: from localhost (localhost) by d03av04.boulder.ibm.com (8.12.11.20060308/8.13.3) id k8UFpKbK023288;
Sat, 30 Sep 2006 09:51:20 -0600
Date: Sat, 30 Sep 2006 09:51:20 -0600
From: Mail Delivery Subsystem <MAILER-DAEMON@westrelay02.boulder.ibm.com>

Notre soit-disant message a réellement été expédié par un Portuguais, sous le pseudonyme "Ed Patel" en inventant une adresse inexistante sur notre domaine (xyniku@vinosoft.com), à destination de directo@vnet.ibm.com (une adresse invalide dans un domaine bien réel);

le contenu du message est un spam "classique" de type "market news, arnaques" :

Return-Path: <xyniku@vinosoft.com>
Received: from d03av04.boulder.ibm.com (loopback [127.0.0.1]) by d03av04.boulder.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id k8UFpKbK023286
for <directo@vnet.ibm.com>; Sat, 30 Sep 2006 09:51:20 -0600
Received: from d03as01.boulder.ibm.com (d03as01 [9.17.195.252]) by d03av04.boulder.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id k8UFpKuf023283 for <directo@vnet.ibm.com>; Sat, 30 Sep 2006 09:51:20 -0600
Received: from e31.co.us.ibm.com ([9.17.249.41]) by d03as01.boulder.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id k8UFpJOR015217 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <directo@vnet.ibm.com>; Sat, 30 Sep 2006 09:51:19 -0600
Received: from bl8-46-135.dsl.telepac.pt (bl8-46-135.dsl.telepac.pt [85.241.46.135]) by e31.co.us.ibm.com (8.13.8/8.13.8) with SMTP id k8UFp92I008225 for <directo@vnet.ibm.com>; Sat, 30 Sep 2006 11:51:11 -0400
Received: (qmail 11851 invoked from network); Sat, 30 Sep 2006 16:53:04 +0100
Received: from unknown (HELO 85.241.41.57) (85.241.41.57) by bl8-46-135.dsl.telepac.pt with SMTP; Sat, 30 Sep 2006 16:53:04 +0100
Message-ID: <451E9260.3070209@berufskolleg-olsberg.de>
Date: Sat, 30 Sep 2006 16:50:56 +0100
From: Ed Patel <xyniku@vinosoft.com>
User-Agent: Thunderbird 1.5.0.7 (Windows/20060909)
MIME-Version: 1.0
To: directo@vnet.ibm.com
Subject: crawl levy

Autres expéditeurs des faux messages "2006i30" qui n'ont pas pu être distribués pour adresse invalide :

Documentation :

Reading Email Headers :

- http://www.stopspam.org/email/headers/headers_fr.html

- http://www.emailaddressmanager.com/tips/header.html

- http://www.emailaddressmanager.com/tips/spam-header.html

- http://www.cs.tut.fi/~jkorpela/headers.html

http://www.sophos.fr/pressoffice/news/articles/2006/07/securityreportmid2006.html

Sophos : liste des 10 familles de menaces les plus répandues entre janvier et juin 2006

News - 21/07/2006 : http://www.infos-du-net.com/actualite/7577-virus-antivirus.html

Plus de 80 pour cent des nouveaux malware évitent les antivirus les plus connus et pénètrent dans votre ordinateur. Un rapport récent de l'Australian Computer Emergency Response Team, soit l'AusCERT, explique que les antivirus ne marchent pas face à ces nouveaux venus. Un responsable de AusCERT, Graham Ingram, affirme que ce n'est pas un problème technique au niveau des antivirus. Le problème vient du fait que les Trojans et autres nouveaux virus sont construits de manière à déjouer les protections de ces outils classiques. Il affirme que les pirates testent leurs virus spécifiquement contre les produits antivirus les plus courants afin justement qu'une fois diffusés, ils évitent de se faire détecter. Paradoxalement, les antivirus les moins connus et donc les moins populaires sont le plus à même de détecter les nouvelles générations de malware et autres petites bêtes nuisibles de l'Internet puisque justement ils sont ignorés par les pirates pendant les phases de test de leurs joujoux. Cependant, en moyenne, soixante pour cent des malware ne sont pas du tout detectés, ce qui est selon l'équipe australienne inquiétant.

News - 31/07/2006 : http://www.branchez-vous.com/actu/06-07/10-257703.html

Dans son palmarès de virus les plus répandus en juillet 2006, la firme de sécurité informatique Sophos remarque que la proportion des courriels contaminés par un ver informatique a enregistré une baisse marquée, mais ceci ne signifie pas que les dangers soient écartés... - Après avoir étudié les données recueillies en juillet dans son réseau mondial d'ordinateurs, Sophos estime que seulement 0,45% des courriels véhiculaient un logiciel malveillant en pièce jointe, une chute notable par rapport aux statistiques des dernières années. À titre de comparaison, la firme souligne que cette fraction s'établit à 1,1% pour le premier semestre 2006. Selon Sophos, cette baisse du nombre de courriels contaminés marque un changement de stratégie chez les créateurs de virus: «les pirates se détournent des vers et virus à propagation massive par courriel pour adopter des attaques par cheval de Troie plus insidieuses qui ciblent de petits groupes d'utilisateurs.» - Pour illustrer cette tendance, la firme de sécurité informatique indique que des 3715 nouveaux logiciels malveillants découverts en juillet, 87% étaient des chevaux de Troie et 13% des vers ou des virus.