今天遇到一個很好玩的病毒木馬, 信件內容文字如下:
Dear user of "Hinet.net" mailing system,
Our antivirus software has detected a large ammount of viruses outgoing
from your email account, you may use our free anti-virus tool to clean up
your computer software.
Further details can be obtained from attached file.
Attached file protected with the password for security reasons. Password is 86375.
Best wishes,
The Hinet.net team http://www.hinet.net
在一般的寄信人的From欄位是noreply@hinet.net, 信件內容格式也彷彿如同官方文件一樣(除了他是英文, 不太合理...
)
然後, 小弟非常手癢的把這封信炸開, 看完整的信件抬頭
From - Wed Mar 3 13:46:29 2004
X-UIDL: 404552df00000018
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <200304010309.h3139cSk044001@xtrabox.com>
Received: from msxx.hinet.net (msxx.hinet.net [168.95.4.14])
by mycom.com.tw (8.12.8p1/8.12. with ESMTP id i235et8s022196
for <lalala@mycom.com.tw>; Wed, 3 Mar 2004 13:40:56 +0800 (CST)
(envelope-from 200304010309.h3139cSk044001@xtrabox.com)
Received: from narumol (ip-n-bkkSP7-106.C.loxinfo.net.th [169.210.14.106])
by msxx.hinet.net (8.8.8/8.8. with SMTP id NAA20354
for <lalala@hinet.net>; Wed, 3 Mar 2004 13:38:48 +0800 (CST)
Date: Wed, 03 Mar 2004 12:49:38 +0700
To: lalala@msxx.hinet.net
Subject: Notify about your e-mail account utilization.
From: noreply@hinet.net
Message-ID: <mqupvsshtmhxobsxtcf@ms14.hinet.net>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------ipcpjltngshspywuqqea"
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on mycom.com.tw
X-Spam-Status: No, hits=0.3 required=5.5 tests=NO_REAL_NAME autolearn=no
version=2.63
Status:
----------ipcpjltngshspywuqqea
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
發現了嗎? 他的來源是
ip-n-bkkSP7-106.C.loxinfo.net.th , 一個經過高度偽裝的domain....
此外, 這封信件還附了一個readme.zip, 小弟手也很賤的, 把這個檔案炸開... 發現還真的要密碼, 密碼也跟他信件內容一樣! 提高了跟我一樣手賤的人上當的機會! 打開後, 裡面是一個執行檔...... ormbmlshf.exe 嘿嘿~~ 這個手就不能繼續賤了(會開啟smtp...
).
要不是他因為有附檔被攔截到, 並且經過SpamAssassin攔截, 不然, 我公司內部應該現在糗大了吧....
說不定, 我這次反應速度比那些防毒軟體公司還快也說不定