This email was received today

[~BD~]

You will see in the message info. below that this email was addressed as
shown:

To: <boab_doc@hotmail.co.uk>

How can it have arrived in *my* inbox (I'm BoaterDave at hotmail.co.uk)

Responses will be appreciated! :-)

Dave


X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtTQ0w9NA==

X-Message-Status: n

X-SID-PRA: Consult Group <info@behavmed.com>

X-AUTH-Result: NONE

X-Message-Info:
0Lct38uk7fNgtofsjpqeOfgZ9Fh36wMjo1pYR2Ses/6enIJtG/uHICHSXn2TuQawEuQM+7daFjHjDiYjW6YtXhnS476yUsP/rCLfmZGVMb7q4BAibjyKlA==

Received: from mailex.mailcore.me ([94.136.40.61]) by
col0-mc4-f20.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);

Tue, 10 May 2011 00:43:59 -0700

Received: from noc.maximuma.net ([91.196.148.8])

by mail10.atlas.pipex.net with esmtpa (Exim 4.71)

(envelope-from <info@behavmed.com>)

id 1QJhbq-0005w9-GL; Tue, 10 May 2011 08:43:58 +0100

Received: from [91.196.148.8] by noc.maximuma.net id YTMGv1wyVvdf with
SMTP; Tue, 10 May 2011 10:43:57 +0300

Date: Tue, 10 May 2011 10:43:57 +0300

From: "Consult Group" <info@behavmed.com>

X-Mailer: The Bat! (v4.8.76.3) Educational

X-Priority: 3 (Normal)

Message-ID: <982740620.49683983978845@noc.maximuma.net>

To: <boab_doc@hotmail.co.uk>

Subject: Your order reference is 37852

MIME-Version: 1.0

Content-Type: text/plain;

charset="windows-1252"

Content-Transfer-Encoding: 8bit

X-Mailcore-Auth: 8588484

X-Mailcore-Domain: 931887

Return-Path: info@behavmed.com

X-OriginalArrivalTime: 10 May 2011 07:44:00.0315 (UTC)
FILETIME=[069D70B0:01CC0EE6]









Dear, Customer



Thank you for the order,

id: 54850152.



Your credit card will be charged for 734 dollars.



Information about the order and delivery located at:



http://radiolunaser.com/order2/Order...@hotmail.co.uk



____________________________

Best regards, ticket service.

Tel./Fax.: (882) 701 46 502

[Mike Easter]

~BD~ wrote:
> You will see in the message info. below that this email was addressed as
> shown:
>
> To: <boab_doc@hotmail.co.uk>
>
> How can it have arrived in *my* inbox (I'm BoaterDave at hotmail.co.uk)

Short version:

What the mail recipient sees in the To: field is only what the sender
constructed/configured to populate the To: field. A great many other
recipients can receive the same mail.

Another version:

If you (yourself with your mail agent) construct a mail to send to a
great many recipients, it is not necessary (nor wise nor polite) to put
all of your recipients into the To: field. Instead you can put all of
them into the BCC field. Or you can put one of them into the To: field
and then all of the recipients you included in the BCC field will get a
mail showing that person's To:

Another version:

For some discussions, it is useful to consider the concept of what some
call the 'smtp envelope' which is a series of transactions between the
sender and the smtp server. Those elements consist of HELO, MAIL FROM,
RCPT TO, and DATA. The information concerning who is to receive the mail
is in the RCPT TO part. The information about the structure of the mail
such as subject and from and to and cc is contained in the DATA section.

--
Mike Easter

[~BD~]

Mike Easter wrote:
> ~BD~ wrote:
>> You will see in the message info. below that this email was addressed
>> as shown:
>>
>> To: <boab_doc@hotmail.co.uk>
>>
>> How can it have arrived in *my* inbox (I'm BoaterDave at hotmail.co.uk)
>
> Short version:
>
> What the mail recipient sees in the To: field is only what the sender
> constructed/configured to populate the To: field. A great many other
> recipients can receive the same mail.
>
> Another version:
>
> If you (yourself with your mail agent) construct a mail to send to a
> great many recipients, it is not necessary (nor wise nor polite) to put
> all of your recipients into the To: field. Instead you can put all of
> them into the BCC field. Or you can put one of them into the To: field
> and then all of the recipients you included in the BCC field will get a
> mail showing that person's To:

I understand. Thanks, Mike.

> Another version:
>
> For some discussions, it is useful to consider the concept of what some
> call the 'smtp envelope' which is a series of transactions between the
> sender and the smtp server. Those elements consist of HELO, MAIL FROM,
> RCPT TO, and DATA. The information concerning who is to receive the mail
> is in the RCPT TO part. The information about the structure of the mail
> such as subject and from and to and cc is contained in the DATA section.

I'll ponder on that info. Thanks again.

[Mike Easter]

~BD~ wrote:

> http://radiolunaser.com/order2/Order...@hotmail.co.uk

The payload is Order.zip.

This is the result of testing that file at VirusTotal

http://bit.ly/ir4ZDf+ (previewable)

The contents are an Order.Doc file which has 5/43 positives

ClamAV Suspect.DoubleExtension-zippwd-12
Kaspersky Trojan-Spy.Win32.SpyEyes.hdy
NOD32 a variant of Win32/Kryptik.NON
Sophos Mal/BredoZp-B
VIPRE FraudTool.Win32.AVSoft (v)

If you were so inclined, you could carefully examine the .doc.

--
Mike Easter

[David H. Lipman]

From: "Mike Easter" <MikeE@ster.invalid>

> ~BD~ wrote:
>
>> hxxp://radiolunaser.com/order2/Order.zip?to_client:boab_doc@hotmail.co.uk
>
> The payload is Order.zip.
>
> This is the result of testing that file at VirusTotal
>
> http://www.virustotal.com/file-scan/...f4b-1305032477
>
> The contents are an Order.Doc file which has 5/43 positives
>
> ClamAV Suspect.DoubleExtension-zippwd-12
> Kaspersky Trojan-Spy.Win32.SpyEyes.hdy
> NOD32 a variant of Win32/Kryptik.NON
> Sophos Mal/BredoZp-B
> VIPRE FraudTool.Win32.AVSoft (v)
>
> If you were so inclined, you could carefully examine the .doc.
>

Please stop feeding the BD troll.

You are also wrong. The file is NOT a DOC file it is an EXE file.
Order.Doc_________________________________________ ______________________________.exe

Also in the future, please obfuscate malicious URLs and don't use shortened URLs via
Libya.

This malware copies itself to;
C:\Recycle.Bin\Recycle.Bin.exe
creates;
C:\Recycle.Bin\config.bin

It hooks into many running processes.

It communicates to; csgametome2.com via TCP port 444
as well as uploading encrypted data via; /~a?brvalg/g?ate.php

It creates a Mutex of; 2HiH8UlWBE0Me8DueMgM0VQKflf280p



--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[Dustin]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:iqbht1090@news2.newsguy.com:

> You are also wrong. The file is NOT a DOC file it is an EXE file.
> Order.Doc_________________________________________ ___________________

Why tell him that? He's a stupid ****head, David. Should have suggested
he try to open it. <G>



--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again

[~BD~]

Mike Easter wrote:
> ~BD~ wrote:
>
>> http://radiolunaser.com/order2/Order...@hotmail.co.uk
>
> The payload is Order.zip.
>
> This is the result of testing that file at VirusTotal
>
> http://bit.ly/ir4ZDf+ (previewable)
>
> The contents are an Order.Doc file which has 5/43 positives
>
> ClamAV Suspect.DoubleExtension-zippwd-12
> Kaspersky Trojan-Spy.Win32.SpyEyes.hdy
> NOD32 a variant of Win32/Kryptik.NON
> Sophos Mal/BredoZp-B
> VIPRE FraudTool.Win32.AVSoft (v)
>
> If you were so inclined, you could carefully examine the .doc.
>

Most interesting!

As I'm currently aboard my narrowboat, with no back-up facilities, I'll
not do anything which might put my computer out of action! I'll leave
you clever folk to play with what I've put forward.

<aside> I don't like the way Mr Lipman talks down to you Mike. It's
totally unnecessary and provocative. He should be much more adult IMO.

[Peter Foldes]

"~BD~" <~BD~@nomail.afraid.com> wrote in message news:iqbqd9$u6q$1@dont-email.me...
> Mike Easter wrote:
>> ~BD~ wrote:


> <aside> I don't like the way Mr Lipman talks down to you Mike. It's totally
> unnecessary and provocative. He should be much more adult IMO.

David

Once and for all ,stop your stupid and unnecessary Trolling and enjoy your boat
instead of starting crap as you always do for no reason what so ever

--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/protect

[~BD~]

Peter Foldes wrote:

> David
>
> Once and for all ,stop your stupid and unnecessary Trolling and enjoy
> your boat instead of starting crap as you always do for no reason what
> so ever
>

Are you now "in charge" here, Mr Foldes?

Please remember that there is no obligation upon you to read my posts!

I'm having great fun aboard at the moment, btw! :-)

[~BD~]

~BD~ wrote:

> I'm having great fun aboard at the moment, btw! :-)

Bridge 97 http://i53.tinypic.com/28ano5d.jpg