Attention ( Virus / Trojan ) !!!

[zfrank]

Attention,
2 days ago I become an mail with Virus/Trojan from a known cheater.
This hacker/cheater spyed my passwords and logged into admin-panel. If anyone have also got this mail, check your system. There is atm no virus-scanner which can detect this virus/trojan. If I get a new signatur-file from antivirus-company I post it here.


Details of mail:

Subject: CeBIT 2004 Invitation
Attachement: CeBIT2004.zip with included pdf and exe-file
exe is an trojan/virus ( more infos comming soon, exe is for analyse by some antivirus-companys )
Mailtext: Dear Friends,

We sincerely invite you to visit our booth at hall 12, B69 and see our advanced products in person. If you would like to find out more please find a minute and take a look on presentation that is attached with this message.

With best regards,


Senderip of virus: 80.53.192.14
This ip used my admin-login
some hour laters, this ip: 213.190.37.2 used my admin-login. This ip is also used by a known cheater in our forum at the same time.

Here the header from mail:

Code:

Return-Path: <[email protected]>
Received: from localhost (localhost.localdomain [127.0.0.1])
	by localhost.localdomain (8.12.8/8.12.5) with ESMTP id i22JohGU029652
	for <zfrank@localhost>; Tue, 2 Mar 2004 20:50:43 +0100
X-Flags: 0000
Delivered-To: GMX delivery to zfrank@xxxxxx
Received: from pop.xxxx.net [213.165.64.20]
	by localhost with POP3 (fetchmail-5.9.0)
	for zfrank@localhost (single-drop); Tue, 02 Mar 2004 20:50:43 +0100 (CET)
Received: (qmail 20004 invoked by uid 65534); 2 Mar 2004 19:48:54 -0000
Received: from webmail-outgoing.us4.outblaze.com (EHLO webmail-outgoing.us4.outblaze.com) (205.158.62.67)
  by mx0.gmx.net (mx039) with SMTP; 02 Mar 2004 20:48:54 +0100
Received: from spf9.us4.outblaze.com (spf9.us4.outblaze.com [205.158.62.169])
	by webmail-outgoing.us4.outblaze.com (Postfix) with QMQP id A9D7A1800D9B
	for <[email protected]>; Tue,  2 Mar 2004 19:48:51 +0000 (GMT)
X-OB-Received: from unknown (205.158.62.37)
  by wfilter.us4.outblaze.com; 2 Mar 2004 19:48:42 -0000
Received: by ws1-9.us4.outblaze.com (Postfix, from userid 1001)
	id 0EEF943E51; Tue,  2 Mar 2004 19:48:45 +0000 (GMT)
Content-Type: multipart/mixed; boundary="----------=_1078256922-3019-0"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-Mailer: MIME-tools 5.41 (Entity 5.404)
Received: from [80.53.192.14] by ws1-9.us4.outblaze.com with http for
    [email protected]; Tue, 02 Mar 2004 14:48:42 -0500
From: "xxxx xxxx" <[email protected]>
To: [email protected]
Date: Tue, 02 Mar 2004 14:48:42 -0500
Subject: CeBIT 2004 Invitation
X-Originating-Ip: 80.53.192.14
X-Originating-Server: ws1-9.us4.outblaze.com
Message-Id: <[email protected]>
X-GMX-Antivirus: 0 (no virus found)
X-GMX-Antispam: 0 (Mail was not recognized as spam)
Status:

I censored something in header with xxxx


Here are some server-logs from virus-sender/cheater:

User/Cheater with his own Userid and IP 213.190.37.2
Userid censored with xxxx

Code:

========================================
Request: 213.190.37.2 - - [Thu Mar  4 18:25:20 2004] "POST /vbb/newthread.php HTTP/1.1" 200 52184
Handler: (null)
----------------------------------------
POST /vbb/newthread.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Cache-Control: no-cache
Connection: Keep-Alive
Content-Length: 8923
Content-Type: application/x-www-form-urlencoded
Cookie: bblastvisit=1078136711; __utma=100471433.964153968.1073996504.1073996504.1073996504.1; bblastactivity=1078136711; bbuserid=1xxxx; bbpassword=8ae49dc91cb0432b0fa373e6bcxxxx; sessionhash=0dbecd2ac6802676c275a2e172xxxx; bbforum_view=ax3x-ix35yix1078327997yix203yix1078313769yix112yix1078321940y_; bbthread_lastview=ax13x-ix130085yix1078299682yix130059yix1078327975yix129985yix1078300057yix129948yix1078300096yix129880yix1078300112yix129867yix1078300149yix129804yix1078300195yix129541yix1078300239yix129162yix1078300260yix130259yix1078313510yix126938yix1078313866yix124217yix1078324360yix130359yix1078385311y_
Host: forum.gsmhosting.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
XXXXXXX: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXX: XXXXXXXXXXXXX

[POST payload not available]

HTTP/1.1 200 OK
X-Powered-By: PHP/4.3.4
Cache-Control: private
Set-Cookie: sessionhash=9e2e1dc2ca2fa01371928308ebxxxxx; path=/
Content-Length: 52184
Connection: close
Content-Type: text/html
========================================

and here with my userid (zfrank)

Code:

========================================
Request: 213.190.37.2 - zfrank [Wed Mar  3 18:20:06 2004] "POST /vbb/admincp/xxxxxxx.php HTTP/1.1" 200 2665
Handler: (null)
----------------------------------------
POST /vbb/admincp/xxxxx.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*
Accept-Language: en-us
Authorization: Basic emZyYW5rOmJvxxxxxxx
Cache-Control: no-cache
Connection: Keep-Alive
Content-Length: 66
Content-Type: application/x-www-form-urlencoded
Cookie: bblastvisit=1077727244; bblastactivity=1078269624; x;  bbmodsession=1; bbuserid=3; bbpassword=78c139ceaf82db8f67993c83xxxxxx
Host: forum.gsmhosting.com
Referer: http://forum.gsmhosting.com/vbb/admincp/xxxxxx.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

[POST payload not available]

HTTP/1.1 200 OK
X-Powered-By: PHP/4.3.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 03 Mar 2004 17:20:06 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: private, post-check=0, pre-check=0
Pragma: no-cache
Content-disposition: xxxxxxx
Connection: close
Transfer-Encoding: chunked
Content-Type: unknown/unknown
========================================

[mr_x4you]

Post here who's that known cheater !!!

[Tanvir]

Yes we all would like to know this cheater !
Personal Advice to Zfrank : The security of the server should be upgraded and made better, so that such cheap persons may not hack it, and i think this is the second time....

Regards,
Tanvir !!!

[klaus4]

give us his name

[zulea]

Hi,

I received same, but verry interesting in TO: field was written [email protected]

So, our good old friend Davor, or who knows ....

Lucky me, I was not opened any file, so ...

Here is full headers:

-----------------------------------------

Received: from ns2.ARtelecom.net [80.97.194.4] by ARtelecom.net
(SMTPD32-8.05) id A5834080112; Tue, 02 Mar 2004 21:50:27 +0200
Received: from 80.97.255.66 by ns2.ARtelecom.net (InterScan E-Mail VirusWall NT); Tue, 02 Mar 2004 21:50:23 +0200
Received: (qmail 32029 invoked from network); 2 Mar 2004 19:49:17 -0000
Received: from m1.dnsix.com (63.251.171.167)
by ns3.artelecom.net with SMTP; 2 Mar 2004 19:49:17 -0000
Received: from [205.158.62.67] (helo=webmail-outgoing.us4.outblaze.com)
by m1.dnsix.com with esmtp (Exim 4.24)
id 1AyGPv-0004tk-1a
for [email protected]; Tue, 02 Mar 2004 12:23:03 -0800
Received: from spf9.us4.outblaze.com (spf9.us4.outblaze.com [205.158.62.169])
by webmail-outgoing.us4.outblaze.com (Postfix) with QMQP id 1331E1801531
for <[email protected]>; Tue, 2 Mar 2004 19:48:55 +0000 (GMT)
X-OB-Received: from unknown (205.158.62.37)
by wfilter.us4.outblaze.com; 2 Mar 2004 19:48:42 -0000
Received: by ws1-9.us4.outblaze.com (Postfix, from userid 1001)
id 0EEF943E51; Tue, 2 Mar 2004 19:48:45 +0000 (GMT)
Content-Type: multipart/mixed; boundary="----------=_1078256922-3019-0"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-Mailer: MIME-tools 5.41 (Entity 5.404)
Received: from [80.53.192.14] by ws1-9.us4.outblaze.com with http for
[email protected]; Tue, 02 Mar 2004 14:48:42 -0500
From: "John Davidson" <[email protected]>
To: [email protected]
Date: Tue, 02 Mar 2004 14:48:42 -0500
Subject: CeBIT 2004 Invitation
X-Originating-Ip: 80.53.192.14
X-Originating-Server: ws1-9.us4.outblaze.com
Message-Id: <[email protected]>
X-RCPT-TO: <[email protected]>
Status: U
X-UIDL: 353694390

-----------------------------------------

Best regards,
Zulea

[essojay]

Please do the forum a favour..POST HERE THE FULL DETAILS OR CONFIRM THE ABOVE BY ZULEAH. dont x-rate anything.

bR

[Kima]

He,He,He...
Anatoly stikes again....

b/r KIMA

[The Dog]

was sent virus W32.MyDoom which was picked up thankfully. The name of the sender came up as Spunlock. When I replied it went to a nice chap called Dips from Cellular Services who knew nothing about it. I am not saying Spunlock knows anything about it either, maybe someone dont like him?(Or maybe someone dont like me?)

[Spalato]

Quote:

Originally Posted by zulea2002

Hi,

I received same, but verry interesting in TO: field was written [email protected]

So, our good old friend Davor, or who knows ....

Lucky me, I was not opened any file, so ...

Best regards,
Zulea

Hi

I know Davor many years and I'm sure that he is not behind this attack... he probably opened the attachment thinking that it was a real invitation to CEBIT because me and him will be at CEBIT this year... so maybe he tought that some of known people sended him that invitiation and he was smart enough to open it

Oliver

[zfrank]

Quote:

Originally Posted by Tanvir

Yes we all would like to know this cheater !
Personal Advice to Zfrank : The security of the server should be upgraded and made better, so that such cheap persons may not hack it, and i think this is the second time....

Regards,
Tanvir !!!

Server is more secure as before first attack.
This was no attack to webserver, it was an attack to my home-system.

@kimagsm
right

@all
davor isn´t the sender, he´ve nothing to do with this..

[Vyrus]

Just to avoid people pointing fingures at others most people know how these worms work...

In zfranks case it's a different matter...

in other cases mentioned the worm infects a persons computer and then sends itself to other email address stored in the persons address book...

the worm will use various peoples email address' to enable a higher chance of infection...

[Kima]

Quote:

Originally Posted by zfrank

@kinagsm
right

@all
davor isn´t the sender, he´ve nothing to do with this..

He,he,he...
About Davor... ..Do not be so shure...
He is like brother with Anatoly...
P>S..I am KIMA...Not KINA...

b/r KIMA

[millpc]

http://www.esecurityplanet.com/trend...le.php/3320501

Virus problem seems to be getting worse. Best method it not to allow any attachments.

[Justin Case]

@The Dog
Your virus is a common sh*t and has nothing to do with the hacking of Zfrank's PC - I get few mails a day with such stuff.

@Zfrank
If you are 100% who did that trick on you please publish his name in the forum.

B.R.

[AboAli]

he is the Cheater Anatoly www.gsmunlock.com
he uses many Usernames like unlteam & gsmunlock.com