Re: hotmail password request tool (intranet usage)
Matthias Hoys
<updates...@hotmail.com> wrote in message
news:1113826315.2...@f14g2000cwb.googlegroups.com...
>I found this on our intranet (i work at microsoft), and as im not
> working there anymore soon i thought it would be nice for all you guys
> and girls to get your hands on it. Ive put it on
> http://matweb.info/~hotmail/hotmail.rar
>
> Have fun!
>
Is it a virus or a Trojan Horse ? What does it do exactly ?
bernard tatin
My eMac cannot run it, so I cannot tell you.
I open it with Emacs and it contains this :
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1"manifestVersion="1.0">
<assemblyIdentity
type="win32"
processorArchitecture="*"
version="6.0.0.0"
name="mash"
/>
<description>AutoIt 3</description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
language="*"
processorArchitecture="*"
publicKeyToken="6595b64144ccf1df"
/>
</dependentAssembly>
</dependency>
</assembly>
I like the text - i work at microsoft ...
Bernard
DA Morgan
> I found this on our intranet (i work at microsoft), and as im not
> working there anymore soon i thought it would be nice for all you guys
> and girls to get your hands on it. Ive put it on
> http://matweb.info/~hotmail/hotmail.rar
>
> Have fun!
Let me see if I get this correctly ... you have stolen an internal
file from Microsoft and you are distributing it in a usenet group.
And you think anyone out here dumb enough to blindly open an archive
file not knowing its contents.
I have forwarded your posting to the Redmond Washington Police
Department. And hope they find you quickly.
--
Daniel A. Morgan
University of Washington
damo...@x.washington.edu
(replace 'x' with 'u' to respond)
Ulrich Hobelmann
> Let me see if I get this correctly ... you have stolen an internal
> file from Microsoft and you are distributing it in a usenet group.
> And you think anyone out here dumb enough to blindly open an archive
> file not knowing its contents.
What's wrong with unpacking an archive file? I do that every time
with software distributions. Most of the time they contain a
README file, but even if they didn't, you are free to look through
files, no?
If it says that the archive is *not* for everyone to read (like
"this is MS property"), then maybe that's a sign you should stop.
--
No man is good enough to govern another man without that other's
consent. -- Abraham Lincoln
Brice DEKANY
> working there anymore soon i thought it would be nice for all you guys
> and girls to get your hands on it. Ive put it on
> http://matweb.info/~hotmail/hotmail.rar
>
> Have fun!
People really believe this ???
DA Morgan
> DA Morgan wrote:
>
>> Let me see if I get this correctly ... you have stolen an internal
>> file from Microsoft and you are distributing it in a usenet group.
>> And you think anyone out here dumb enough to blindly open an archive
>> file not knowing its contents.
>
>
> What's wrong with unpacking an archive file? I do that every time with
> software distributions. Most of the time they contain a README file,
> but even if they didn't, you are free to look through files, no?
>
> If it says that the archive is *not* for everyone to read (like "this is
> MS property"), then maybe that's a sign you should stop.
Here at the University of Washington there have been demonstrations of
archive files that autoexecute when opened (not even unpacked) which is
more than enough to trigger an attack.
How serious is the problem? All .zip files are deleted by our mail
server. I'll let you be the judge, knowing that, of how you feel about
opening and archive that is self-identified as stolen from an internal
web site (what does that say about the poster's integrity level) and
for which the poster has done his or her best to not reveal what is
actually contained.
Microsoft is now involved. If this person is truly inside the company
they may well exit sooner than they planned ... and not through the
front door. I've as much use for thieves as for spammers.
Ulrich Hobelmann
> Here at the University of Washington there have been demonstrations of
> archive files that autoexecute when opened (not even unpacked) which is
> more than enough to trigger an attack.
What's "opening" an archive file and how does it execute
something?? An archive is a container format, and as such,
passive data. Your can look at the contents, or extract the files
within. If your look-at-archive program executes random stuff,
it's horribly broken.
> How serious is the problem? All .zip files are deleted by our mail
> server. I'll let you be the judge, knowing that, of how you feel about
> opening and archive that is self-identified as stolen from an internal
> web site (what does that say about the poster's integrity level) and
> for which the poster has done his or her best to not reveal what is
> actually contained.
WHAT? I'd get quite furious if someone just deleted all zips in
my email! Why not just delete all emails, then you can't get spam
anymore!
> Microsoft is now involved. If this person is truly inside the company
> they may well exit sooner than they planned ... and not through the
> front door. I've as much use for thieves as for spammers.
I believe it's a virus inside, and no secret MS stuff. So even if
there is, how can I be guilty for just *looking* inside? Isn't
that the same as finding top-secret documents on the street and
looking at them? I didn't sign no NDA. Of course if it's MS
code, then distributing it would be illegal.
DA Morgan
> DA Morgan wrote:
>
>> Here at the University of Washington there have been demonstrations of
>> archive files that autoexecute when opened (not even unpacked) which is
>> more than enough to trigger an attack.
>
>
> What's "opening" an archive file and how does it execute something??
But it does or should I say can. It is not that hard to do but I'm not
going to advertise how as we seem to already have more than enough
people doing malicious computing without creating more.
>> How serious is the problem? All .zip files are deleted by our mail
>> server. I'll let you be the judge, knowing that, of how you feel about
>> opening and archive that is self-identified as stolen from an internal
>> web site (what does that say about the poster's integrity level) and
>> for which the poster has done his or her best to not reveal what is
>> actually contained.
>
> WHAT? I'd get quite furious if someone just deleted all zips in my
> email! Why not just delete all emails, then you can't get spam anymore!
Get angry if you wish but don't expect to be faculty or student at the
University of Washington.
>> Microsoft is now involved. If this person is truly inside the company
>> they may well exit sooner than they planned ... and not through the
>> front door. I've as much use for thieves as for spammers.
>
> I believe it's a virus inside, and no secret MS stuff. So even if there
> is, how can I be guilty for just *looking* inside? Isn't that the same
> as finding top-secret documents on the street and looking at them? I
> didn't sign no NDA. Of course if it's MS code, then distributing it
> would be illegal.
Don't know ... don't care. I handed it off, with full headers, to the
proper authorities and they were not amused.
ax...@white-eagle.invalid.uk
> Don't know ... don't care. I handed it off, with full headers, to the
> proper authorities and they were not amused.
With the spammer... or with you for wasting their time?
If you do this with every piece of spam you come across it indicates
that you have a lot of free time on your hands.
By the way, for your information, the OP, although spamming, for
which he should be quite rightly be condemned, was not distributing
a file in a usenet group... just its location.
Axel
YYusenet
> I found this on our intranet (i work at microsoft), and as im not
> working there anymore soon i thought it would be nice for all you guys
> and girls to get your hands on it. Ive put it on
> http://matweb.info/~hotmail/hotmail.rar
>
> Have fun!
>
Hm.... How could this be a hotmail password request tool when it was
made with AutoIt v3 (http://www.autoitscript.com/autoit3/)? Does it
find passwords on my computer by executing a series of keystrokes or
mouse clicks or something?
P.S. With the large list of newsgroups you posted to (5), I don't see
why you didn't post to alt.please.dosomething.bad.to.my.computer or
alt.i.am.dumb. You might have more luck with them.
--
k g a b e r t (at) x m i s s i o n (dot) c o m
*Support Mozilla Firefox*!
http://www.spreadfirefox.com/?q=user/register&r=71209
Frank van Bortel
Some very basic tools would show that is a waste of time:
C:\>nslookup 62.195.137.150
Server: csfw01.cs.nl
Address: 192.168.1.101
Name: i137150.upc-i.chello.nl
Address: 62.195.137.150
$ whois matweb.info
Domain ID:D6093059-LRMS
Domain Name:MATWEB.INFO
Created On:22-Jul-2004 17:04:21 UTC
Registrant Country:NL
Admin Country:NL
Billing Country:NL
Lots of info snipped.
Seems the stuff comes from The Netherlands.
And it looks like a spammer tool: request a hotmail
account by email; presumably to generate bulkmail
from, and abandon the account again.
Nothing out-of-the ordinary...
I make it a habit of checking out things like this,
to avoid generating email about hoaxes, etc.
Followup set for cdo.server only. Posted in cdos only
--
Regards,
Frank van Bortel
mmcconn...@yahoo.com
>> our mail server.
> WHAT?
This is happening to several of my friends, especially in academia.
Frank van Bortel
You would think people *knew*, or at least, investigate, in
those circles <g>
Charles Newman
"DA Morgan" <damo...@x.washington.edu> wrote in message
news:1113846182.681334@yasure...
> updates...@hotmail.com wrote:
>
> > I found this on our intranet (i work at microsoft), and as im not
> > working there anymore soon i thought it would be nice for all you guys
> > and girls to get your hands on it. Ive put it on
> > http://matweb.info/~hotmail/hotmail.rar
> >
> > Have fun!
>
> Let me see if I get this correctly ... you have stolen an internal
> file from Microsoft and you are distributing it in a usenet group.
> And you think anyone out here dumb enough to blindly open an archive
> file not knowing its contents.
>
> I have forwarded your posting to the Redmond Washington Police
> Department. And hope they find you quickly.
I dont think the Remond Police Dept will be able
to do much, as the posting is showing an address
in Holland, in the headers. 62.195.137.150
points to a computer at chello.nl, in Holland.
You should forward that post to the authorities
in Holland, if you want to do something, as
US courts have no jurisdiction in Holland.
DA Morgan
You'd be surprised. Our local law enforcement agencies, remember
Microsoft is in Redmond, are quite good and have very good relations
internationally including into the former Soviet Union.
I've no doubt they will pursue it based on other similar cases. Keep
in mind this is not just about fact ... it is also about appearance.
Microsoft does not even want a rumor flying around about something
like this.
Charles Newman
"Leythos" <vo...@nowhere.lan> wrote in message
news:Qkb9e.6157$0V2....@tornado.ohiordc.rr.com...
> passworded or can't be opened and the contents scanned for malicious code
> by the email av or firewall software. We always delete unscannable zip
> file.
What is someone changed the file extension to
something like ZPP? That would get it past the
filters that delete ZIP files.
>
> --
> spam9...@rrohio.com
> remove 999 in order to email me
>
Ilgaz
> DA Morgan wrote:
>> Let me see if I get this correctly ... you have stolen an internal
>> file from Microsoft and you are distributing it in a usenet group.
>> And you think anyone out here dumb enough to blindly open an archive
>> file not knowing its contents.
>
> What's wrong with unpacking an archive file? I do that every time with
> software distributions. Most of the time they contain a README file,
> but even if they didn't, you are free to look through files, no?
>
> If it says that the archive is *not* for everyone to read (like "this
> is MS property"), then maybe that's a sign you should stop.
Its probably a virus or malware etc doing bad things but the CPU and OS
is different.
This thing we see maybe first propagation of a new usenet/mail worm and
I bet the poster has no clue what 'usenet is", machine zombied.
Come on, nobody can be _that_ stupid lol.
Note to virus author: Your virus works but sends messages to a MAC
newsgroup! :P
Ilgaz Ocal
Ilgaz
> I found this on our intranet (i work at microsoft), and as im not
> working there anymore soon i thought it would be nice for all you guys
> and girls to get your hands on it. Ive put it on
> http://matweb.info/~hotmail/hotmail.rar
>
> Have fun!
W32.Goldun.M virus, Intego virus barrier reports.
I saved a lots of people from checking the file I bet ;)
Yay, so I have a anti virus in fact :P
Ilgaz
Ilgaz
And posted via groups.google.com , definitely reporting to google. Very
interesting! Google got no NNTP access yes?
Ilgaz
Terry Dykstra
based on the extension, but the signature. Same for files included within a
zip.
--
Terry Dykstra
Canadian Forest Oil Ltd.
"Charles Newman" <charles...@comcast.net.spammers.will.be.shot.on.sight>
wrote in message news:IvGdnQw8j5L...@comcast.com...
MyndPhlyp
"Ilgaz" <Il...@spamcop.net> wrote in message
news:3cl5hkF...@individual.net...
> On 2005-04-18 21:00:30 +0300, Ulrich Hobelmann <u.hob...@web.de> said:
>
> Come on, nobody can be _that_ stupid lol.
Genius has its limitations. Stupidity knows no boundaries.
Karl A. Krueger
In comp.lang.lisp Charles Newman <charles...@comcast.net.spammers.will.be.shot.on.sight> wrote:
> "Leythos" <vo...@nowhere.lan> wrote in message
> news:Qkb9e.6157$0V2....@tornado.ohiordc.rr.com...
>> It's very common, and a good method, to delete Zip files that are
>> passworded or can't be opened and the contents scanned for malicious code
>> by the email av or firewall software. We always delete unscannable zip
>> file.
>
> What is someone changed the file extension to something like ZPP? That
> would get it past the filters that delete ZIP files.
We do not delete ZIP attachments (or -ever- alter message bodies) but it
is relatively trivial to detect the real file type of an attachment,
even if it is maliciously renamed to conceal it.
Email attachments are encoded using Base-64, which is deterministic --
so the "magic numbers" at the beginning of a binary data file will
always come out to a given pattern of Base-64 encoding. Thus, a simple
regular-expression matcher (as is built in to the Postfix MTA and many
others) will suffice to detect and reject messages with attachments of a
given type, even renamed.
It was in response to anti-virus software that can scan into ZIP files
that some email viruses started sending themselves as passworded files.
They'd include the password in the message body and instruct the user to
open the attachment using it. Nobody should be surprised that this
worked -- indeed, telling the user that the attached document is so
important that it had to be passworded is a good bit of social
engineering.
I personally consider it bad practice for a mail server to alter the
contents of a message, as by deleting an attachment. Doing so creates
the (correct!) impression that "the computer people are fooling with my
email" and damages users' trust. It also fails to inform the *sender*
that the message was not transmitted successfully -- and the SMTP
language has no way to express 'partial delivery'.
What's more, it's not terribly effective at reducing the fuss and bother
associated with viruses. Email viruses do not attach themselves to
'real' messages -- they send messages of their own, which serve no
purpose but to pass the virus. Stripping the attachment off such a
message and delivering it tells the user, "I know this message was junk
meant to harm you. I killed it. Here, have its corpse!" Except to the
sort of user who *likes* it when the cat delivers dead birds and mice,
this is silly behavior. Users have enough clutter in their mailboxes
without the corpses of viruses added to the mix.
When a message comes in that the security rules say must not be
delivered, the sensible thing for the mail server to do is to simply
reject it. SMTP rejection means the recipient's mail server doesn't
even accept the message for delivery -- it says "no, thank you" and
leaves it up to the sender's mail server to report the failure. In the
case of a virus, the sender usually just goes away and harasses someone
else. In the case of real mail erroneously intercepted, the rejection
can come with an informative error message ("Sorry, we don't allow ZIP
files in email. Please use a file transfer protocol when you want to
transfer files!") that the sender will then receive and can handle
appropriately.
--
Karl A. Krueger <kkru...@example.edu> { s/example/whoi/ }
André Thieme
> On Tue, 19 Apr 2005 09:21:13 -0700, mmcconnell17704 wrote:
>
> passworded or can't be opened and the contents scanned for malicious code
> by the email av or firewall software. We always delete unscannable zip
> file.
Why not put a passworded zip into a scannable zip?
André
--
peter pilsl
>
> What is someone changed the file extension to
> something like ZPP? That would get it past the
> filters that delete ZIP files.
>
Then the usual user will not be able to open the zipfile when it has a
zpp-extension and not be able to click the file inside "naked_woman.exe"
which actually is a virus.
Deleting executable attachemnts and unscannable zips from the mail is
done in most of the companies I sysadmin. Some Users still click on
everything that has a icon and a promising name. MS-click-me-advertising
has done some braindamager to the weaker minded.
best,
peter
Ulrich Hobelmann
> Deleting executable attachemnts and unscannable zips from the mail is
> done in most of the companies I sysadmin. Some Users still click on
> everything that has a icon and a promising name. MS-click-me-advertising
> has done some braindamager to the weaker minded.
How about the admins doing their job instead of deleting stuff in
users' email? Like choosing a secure OS in the first place that
runs the productivity apps the user needs, or running a solid
backup-policy (when a stupid user fries his directory, boss
screams at him for a while, but data can be restored), or running
stuff in a sandbox (well, on Windows that probably means that you
ONLY fry your own directory).
Chris Mattern
> peter pilsl wrote:
>> Deleting executable attachemnts and unscannable zips from the mail is
>> done in most of the companies I sysadmin. Some Users still click on
>> everything that has a icon and a promising name. MS-click-me-advertising
>> has done some braindamager to the weaker minded.
>
> How about the admins doing their job instead of deleting stuff in
> users' email? Like choosing a secure OS in the first place that
> runs the productivity apps the user needs,
Perhaps the admin could square the circle as an encore. Much, even
most, of the time, the apps that the users and management insist on
runs *only* on Windows.
> or running a solid
> backup-policy (when a stupid user fries his directory, boss
> screams at him for a while, but data can be restored),
Fine. *You* can be in charge of running the daily restores, while
the boss yells at you for the downtime, and the user yells at you
for the lost work that was done since the last backup. You let
this crap through and you will spend all day restoring one user
after another.
> or running
> stuff in a sandbox (well, on Windows that probably means that you
> ONLY fry your own directory).
And how, exactly, are you going to get your apps to run, considering
that all of them require admin access to run at all?
Do you have any *practical* alternatives?
>
--
Christopher Mattern
"Which one you figure tracked us?"
"The ugly one, sir."
"...Could you be more specific?"
Ulrich Hobelmann
> That was really lame. While I run both Linux and Windows workstations I
> still see threats for Linux and Windows, neither OS is secure, it's all in
> knowing how to lock each down.
Then pick BSD. Anyway, with a Firewall I doubt that Linux can
really be infected. Updates are usually painless too.
> Installing av software and or a firewall policy that blocks malicious
> attachments from gaining access to company resources is part of an admins
> job, at least in every government, commercial and private company I've
> worked for or designed the networks for.
Blocking infected attachments is relatively ok, unless you are
company that has an interest in sending viruses per mail (like an
AV company).
Just deleting all zips (or encrypted ones) is bloody stupid though.
> I've been running many platforms since the 70's and never experienced a
> virus or compromised system on any network I've managed or designed,
> including Windows based networks/systems, so it would seem that security
> is not really an issue for the Windows platforms, it's more a problem
> when you have ignorant administrators or ones that pretend to know about
> security.
From this thread I gathered that the problem seems to be not the
security (stuff sent with email is just passive files!), but
rather the dumb user that has to push the button on every bomb he
finds.
Matthias Hoys
Strange ... my up-to-date AVG freeware anti-virus didn't detect any virus in
the rar file. What anti-virus software do you use ?
Matthias
Ilgaz
<idmwarpzo...@yahoo.com> said:
Its a mac antivirus, Intego Virusbarrier for OS X. Interesting really.
But don't expect anything good from stuff like that (password crack)
Ilgaz
Ulrich Hobelmann
> Its a mac antivirus, Intego Virusbarrier for OS X. Interesting really.
>
> But don't expect anything good from stuff like that (password crack)
WTH do you run an antivirus on your Mac??
I've heard that in some cases they even do harm (was it Norton?),
and they definitely don't do any good. Where should you get a Mac
virus from (except by running a script that wipes your home
directory...)?
My Mac stays clean :)
Mark Townsend
>
> Just deleting all zips (or encrypted ones) is bloody stupid though.
>
Strangely enough a certain large software company relevant to at least
one of the ngs on this thread bans zip attachments in their email.
Instead the SOP is to drop the file onto a central database masquerading
as a file system, and then simply embed the link in the email rather
than attach it. This SOP works well for a number of reasons.
Ilgaz
> Ilgaz wrote:
>> Its a mac antivirus, Intego Virusbarrier for OS X. Interesting really.
>>
>> But don't expect anything good from stuff like that (password crack)
>
> WTH do you run an antivirus on your Mac??
>
> I've heard that in some cases they even do harm (was it Norton?), and
> they definitely don't do any good. Where should you get a Mac virus
> from (except by running a script that wipes your home directory...)?
>
> My Mac stays clean :)
My plan was buying MS office, so bought antivirus. Nothing else, no..
There is no virus currently on mac except some evil scripts you mention.
Whatever
Ilgaz
George Neuner
<idmwarpzo...@yahoo.com> wrote:
>
>"Ilgaz" <Il...@spamcop.net> wrote in message
>>
>> W32.Goldun.M virus, Intego virus barrier reports.
>>
>Strange ... my up-to-date AVG freeware anti-virus didn't detect any virus in
>the rar file. What anti-virus software do you use ?
McAfee doesn't detect anything either.
George
--
for email reply remove "/" from address