This email was received today

[~BD~]

You will see in the message info. below that this email was addressed as
shown:

To: <boab_doc@hotmail.co.uk>

How can it have arrived in *my* inbox (I'm BoaterDave at hotmail.co.uk)

Responses will be appreciated! :-)

Dave


X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtTQ0w9NA==

X-Message-Status: n

X-SID-PRA: Consult Group <info@behavmed.com>

X-AUTH-Result: NONE

X-Message-Info:
0Lct38uk7fNgtofsjpqeOfgZ9Fh36wMjo1pYR2Ses/6enIJtG/uHICHSXn2TuQawEuQM+7daFjHjDiYjW6YtXhnS476yUsP/rCLfmZGVMb7q4BAibjyKlA==

Received: from mailex.mailcore.me ([94.136.40.61]) by
col0-mc4-f20.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);

Tue, 10 May 2011 00:43:59 -0700

Received: from noc.maximuma.net ([91.196.148.8])

by mail10.atlas.pipex.net with esmtpa (Exim 4.71)

(envelope-from <info@behavmed.com>)

id 1QJhbq-0005w9-GL; Tue, 10 May 2011 08:43:58 +0100

Received: from [91.196.148.8] by noc.maximuma.net id YTMGv1wyVvdf with
SMTP; Tue, 10 May 2011 10:43:57 +0300

Date: Tue, 10 May 2011 10:43:57 +0300

From: "Consult Group" <info@behavmed.com>

X-Mailer: The Bat! (v4.8.76.3) Educational

X-Priority: 3 (Normal)

Message-ID: <982740620.49683983978845@noc.maximuma.net>

To: <boab_doc@hotmail.co.uk>

Subject: Your order reference is 37852

MIME-Version: 1.0

Content-Type: text/plain;

charset="windows-1252"

Content-Transfer-Encoding: 8bit

X-Mailcore-Auth: 8588484

X-Mailcore-Domain: 931887

Return-Path: info@behavmed.com

X-OriginalArrivalTime: 10 May 2011 07:44:00.0315 (UTC)
FILETIME=[069D70B0:01CC0EE6]









Dear, Customer



Thank you for the order,

id: 54850152.



Your credit card will be charged for 734 dollars.



Information about the order and delivery located at:



http://radiolunaser.com/order2/Order...@hotmail.co.uk



____________________________

Best regards, ticket service.

Tel./Fax.: (882) 701 46 502

[Mike Easter]

~BD~ wrote:
> You will see in the message info. below that this email was addressed as
> shown:
>
> To: <boab_doc@hotmail.co.uk>
>
> How can it have arrived in *my* inbox (I'm BoaterDave at hotmail.co.uk)

Short version:

What the mail recipient sees in the To: field is only what the sender
constructed/configured to populate the To: field. A great many other
recipients can receive the same mail.

Another version:

If you (yourself with your mail agent) construct a mail to send to a
great many recipients, it is not necessary (nor wise nor polite) to put
all of your recipients into the To: field. Instead you can put all of
them into the BCC field. Or you can put one of them into the To: field
and then all of the recipients you included in the BCC field will get a
mail showing that person's To:

Another version:

For some discussions, it is useful to consider the concept of what some
call the 'smtp envelope' which is a series of transactions between the
sender and the smtp server. Those elements consist of HELO, MAIL FROM,
RCPT TO, and DATA. The information concerning who is to receive the mail
is in the RCPT TO part. The information about the structure of the mail
such as subject and from and to and cc is contained in the DATA section.

--
Mike Easter

[Mike Easter]

~BD~ wrote:

> http://radiolunaser.com/order2/Order...@hotmail.co.uk

The payload is Order.zip.

This is the result of testing that file at VirusTotal

http://bit.ly/ir4ZDf+ (previewable)

The contents are an Order.Doc file which has 5/43 positives

ClamAV Suspect.DoubleExtension-zippwd-12
Kaspersky Trojan-Spy.Win32.SpyEyes.hdy
NOD32 a variant of Win32/Kryptik.NON
Sophos Mal/BredoZp-B
VIPRE FraudTool.Win32.AVSoft (v)

If you were so inclined, you could carefully examine the .doc.

--
Mike Easter

[David H. Lipman]

From: "Mike Easter" <MikeE@ster.invalid>

> ~BD~ wrote:
>
>> hxxp://radiolunaser.com/order2/Order.zip?to_client:boab_doc@hotmail.co.uk
>
> The payload is Order.zip.
>
> This is the result of testing that file at VirusTotal
>
> http://www.virustotal.com/file-scan/...f4b-1305032477
>
> The contents are an Order.Doc file which has 5/43 positives
>
> ClamAV Suspect.DoubleExtension-zippwd-12
> Kaspersky Trojan-Spy.Win32.SpyEyes.hdy
> NOD32 a variant of Win32/Kryptik.NON
> Sophos Mal/BredoZp-B
> VIPRE FraudTool.Win32.AVSoft (v)
>
> If you were so inclined, you could carefully examine the .doc.
>

Please stop feeding the BD troll.

You are also wrong. The file is NOT a DOC file it is an EXE file.
Order.Doc_________________________________________ ______________________________.exe

Also in the future, please obfuscate malicious URLs and don't use shortened URLs via
Libya.

This malware copies itself to;
C:\Recycle.Bin\Recycle.Bin.exe
creates;
C:\Recycle.Bin\config.bin

It hooks into many running processes.

It communicates to; csgametome2.com via TCP port 444
as well as uploading encrypted data via; /~a?brvalg/g?ate.php

It creates a Mutex of; 2HiH8UlWBE0Me8DueMgM0VQKflf280p



--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[~BD~]

Mike Easter wrote:
> ~BD~ wrote:
>> You will see in the message info. below that this email was addressed
>> as shown:
>>
>> To: <boab_doc@hotmail.co.uk>
>>
>> How can it have arrived in *my* inbox (I'm BoaterDave at hotmail.co.uk)
>
> Short version:
>
> What the mail recipient sees in the To: field is only what the sender
> constructed/configured to populate the To: field. A great many other
> recipients can receive the same mail.
>
> Another version:
>
> If you (yourself with your mail agent) construct a mail to send to a
> great many recipients, it is not necessary (nor wise nor polite) to put
> all of your recipients into the To: field. Instead you can put all of
> them into the BCC field. Or you can put one of them into the To: field
> and then all of the recipients you included in the BCC field will get a
> mail showing that person's To:

I understand. Thanks, Mike.

> Another version:
>
> For some discussions, it is useful to consider the concept of what some
> call the 'smtp envelope' which is a series of transactions between the
> sender and the smtp server. Those elements consist of HELO, MAIL FROM,
> RCPT TO, and DATA. The information concerning who is to receive the mail
> is in the RCPT TO part. The information about the structure of the mail
> such as subject and from and to and cc is contained in the DATA section.

I'll ponder on that info. Thanks again.

[~BD~]

Mike Easter wrote:
> ~BD~ wrote:
>
>> http://radiolunaser.com/order2/Order...@hotmail.co.uk
>
> The payload is Order.zip.
>
> This is the result of testing that file at VirusTotal
>
> http://bit.ly/ir4ZDf+ (previewable)
>
> The contents are an Order.Doc file which has 5/43 positives
>
> ClamAV Suspect.DoubleExtension-zippwd-12
> Kaspersky Trojan-Spy.Win32.SpyEyes.hdy
> NOD32 a variant of Win32/Kryptik.NON
> Sophos Mal/BredoZp-B
> VIPRE FraudTool.Win32.AVSoft (v)
>
> If you were so inclined, you could carefully examine the .doc.
>

Most interesting!

As I'm currently aboard my narrowboat, with no back-up facilities, I'll
not do anything which might put my computer out of action! I'll leave
you clever folk to play with what I've put forward.

<aside> I don't like the way Mr Lipman talks down to you Mike. It's
totally unnecessary and provocative. He should be much more adult IMO.

[Mike Easter]

ASCII wrote:
> Mike Easter wrote:
>> If you were so inclined, you could carefully examine the .doc.
>
> Under properties it says the description is;
> [Xcrevq Skybeorm Fdxppy]
> with a file version of [24.97.118.11]
> which resolves to [rrcs-24-97-118-11.nys.biz.rr.com]
> And runs as KKA5C.exe but I don't know yet what it's doing or trying.

I didn't take it out of the .zip archive. It is a somewhat boring (and
embarrassing) story about how the file appeared in the gnome archive
manager that misled me (allowed me to mislead myself) which I will tell
on myself if anyone wants those details.

It starts with the gnome File Roller filename display ending in an
ellipse, like this 'Order.Doc...' and includes a filetype like this
'DOS/Windo...' along with the date modified and filesize.

If I expand the archive manager's field spaces, it not only shows the
..exe name but tells me in 'longhand' about the executable filetype:

DOS/Windows executable


--
Mike Easter

[Peter Foldes]

"~BD~" <~BD~@nomail.afraid.com> wrote in message news:iqbqd9$u6q$1@dont-email.me...
> Mike Easter wrote:
>> ~BD~ wrote:


> <aside> I don't like the way Mr Lipman talks down to you Mike. It's totally
> unnecessary and provocative. He should be much more adult IMO.

David

Once and for all ,stop your stupid and unnecessary Trolling and enjoy your boat
instead of starting crap as you always do for no reason what so ever

--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/protect

[Peter Foldes]

"~BD~" <~BD~@nomail.afraid.com> wrote in message news:iqb2ci$1hv$1@dont-email.me...
> You will see in the message info. below that this email was addressed as shown:



You friggin bull****ter. You read the write up about this TODAY in the UK version of
the following below

http://hijack-this.co.uk/2011/05/new...pam-order-zip/

Why play this game BD. You are a real ugly Troll who should be gone from these
groups

--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/protect

[Mike Easter]

Peter Foldes wrote:
> "~BD~"
>> You will see in the message info. below that this email was addressed
>> as shown:

> You friggin bull****ter. You read the write up about this TODAY in the
> UK version of the following below
>
> http://hijack-this.co.uk/2011/05/new...pam-order-zip/

There's nothing - textwise - to copy and paste from there. Those are
screenshot graphics.

--
Mike Easter