hotmail password request tool (intranet usage)

Discussion in 'Perl Misc' started by updateserver28@hotmail.com, Apr 18, 2005.

  1. Guest

    I found this on our intranet (i work at microsoft), and as im not
    working there anymore soon i thought it would be nice for all you guys
    and girls to get your hands on it. Ive put it on
    http://matweb.info/~hotmail/hotmail.rar

    Have fun!
    , Apr 18, 2005
    #1
    1. Advertising

  2. <> wrote in message
    news:...
    >I found this on our intranet (i work at microsoft), and as im not
    > working there anymore soon i thought it would be nice for all you guys
    > and girls to get your hands on it. Ive put it on
    > http://matweb.info/~hotmail/hotmail.rar
    >
    > Have fun!
    >


    Is it a virus or a Trojan Horse ? What does it do exactly ?
    Matthias Hoys, Apr 18, 2005
    #2
    1. Advertising

  3. Matthias Hoys wrote:
    > <> wrote in message
    > news:...
    >
    >>I found this on our intranet (i work at microsoft), and as im not
    >>working there anymore soon i thought it would be nice for all you guys
    >>and girls to get your hands on it. Ive put it on
    >>http://matweb.info/~hotmail/hotmail.rar
    >>
    >>Have fun!
    >>

    >
    >
    > Is it a virus or a Trojan Horse ? What does it do exactly ?
    >
    >


    My eMac cannot run it, so I cannot tell you.

    I open it with Emacs and it contains this :

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <assembly xmlns="urn:schemas-microsoft-com:asm.v1"manifestVersion="1.0">
    <assemblyIdentity
    type="win32"
    processorArchitecture="*"
    version="6.0.0.0"
    name="mash"
    />

    <description>AutoIt 3</description>
    <dependency>
    <dependentAssembly>
    <assemblyIdentity
    type="win32"
    name="Microsoft.Windows.Common-Controls"
    version="6.0.0.0"
    language="*"
    processorArchitecture="*"
    publicKeyToken="6595b64144ccf1df"
    />
    </dependentAssembly>
    </dependency>
    </assembly>

    I like the text - i work at microsoft ...

    Bernard
    bernard tatin, Apr 18, 2005
    #3
  4. DA Morgan wrote:
    > Let me see if I get this correctly ... you have stolen an internal
    > file from Microsoft and you are distributing it in a usenet group.
    > And you think anyone out here dumb enough to blindly open an archive
    > file not knowing its contents.


    What's wrong with unpacking an archive file? I do that every time
    with software distributions. Most of the time they contain a
    README file, but even if they didn't, you are free to look through
    files, no?

    If it says that the archive is *not* for everyone to read (like
    "this is MS property"), then maybe that's a sign you should stop.

    --
    No man is good enough to govern another man without that other's
    consent. -- Abraham Lincoln
    Ulrich Hobelmann, Apr 18, 2005
    #4
  5. Brice DEKANY Guest

    wrote in message news:<>...
    > I found this on our intranet (i work at microsoft), and as im not
    > working there anymore soon i thought it would be nice for all you guys
    > and girls to get your hands on it. Ive put it on
    > http://matweb.info/~hotmail/hotmail.rar
    >
    > Have fun!


    People really believe this ???
    Brice DEKANY, Apr 18, 2005
    #5
  6. DA Morgan wrote:
    > Here at the University of Washington there have been demonstrations of
    > archive files that autoexecute when opened (not even unpacked) which is
    > more than enough to trigger an attack.


    What's "opening" an archive file and how does it execute
    something?? An archive is a container format, and as such,
    passive data. Your can look at the contents, or extract the files
    within. If your look-at-archive program executes random stuff,
    it's horribly broken.

    > How serious is the problem? All .zip files are deleted by our mail
    > server. I'll let you be the judge, knowing that, of how you feel about
    > opening and archive that is self-identified as stolen from an internal
    > web site (what does that say about the poster's integrity level) and
    > for which the poster has done his or her best to not reveal what is
    > actually contained.


    WHAT? I'd get quite furious if someone just deleted all zips in
    my email! Why not just delete all emails, then you can't get spam
    anymore!

    > Microsoft is now involved. If this person is truly inside the company
    > they may well exit sooner than they planned ... and not through the
    > front door. I've as much use for thieves as for spammers.


    I believe it's a virus inside, and no secret MS stuff. So even if
    there is, how can I be guilty for just *looking* inside? Isn't
    that the same as finding top-secret documents on the street and
    looking at them? I didn't sign no NDA. Of course if it's MS
    code, then distributing it would be illegal.

    --
    No man is good enough to govern another man without that other's
    consent. -- Abraham Lincoln
    Ulrich Hobelmann, Apr 18, 2005
    #6
  7. Guest

    In comp.lang.perl.misc DA Morgan <> wrote:
    > Don't know ... don't care. I handed it off, with full headers, to the
    > proper authorities and they were not amused.


    With the spammer... or with you for wasting their time?

    If you do this with every piece of spam you come across it indicates
    that you have a lot of free time on your hands.

    By the way, for your information, the OP, although spamming, for
    which he should be quite rightly be condemned, was not distributing
    a file in a usenet group... just its location.

    Axel
    , Apr 19, 2005
    #7
  8. Guest

    >> How serious is the problem? All .zip files are deleted by
    >> our mail server.


    > WHAT?


    This is happening to several of my friends, especially in academia.
    , Apr 19, 2005
    #8
  9. wrote:
    >>>How serious is the problem? All .zip files are deleted by
    >>>our mail server.

    >
    >
    >>WHAT?

    >
    >
    > This is happening to several of my friends, especially in academia.
    >


    You would think people *knew*, or at least, investigate, in
    those circles <g>
    Frank van Bortel, Apr 19, 2005
    #9
  10. "DA Morgan" <> wrote in message
    news:1113846182.681334@yasure...
    > wrote:
    >
    > > I found this on our intranet (i work at microsoft), and as im not
    > > working there anymore soon i thought it would be nice for all you guys
    > > and girls to get your hands on it. Ive put it on
    > > http://matweb.info/~hotmail/hotmail.rar
    > >
    > > Have fun!

    >
    > Let me see if I get this correctly ... you have stolen an internal
    > file from Microsoft and you are distributing it in a usenet group.
    > And you think anyone out here dumb enough to blindly open an archive
    > file not knowing its contents.
    >
    > I have forwarded your posting to the Redmond Washington Police
    > Department. And hope they find you quickly.


    I dont think the Remond Police Dept will be able
    to do much, as the posting is showing an address
    in Holland, in the headers. 62.195.137.150
    points to a computer at chello.nl, in Holland.
    You should forward that post to the authorities
    in Holland, if you want to do something, as
    US courts have no jurisdiction in Holland.
    Charles Newman, Apr 19, 2005
    #10
  11. Todger Guest

    Charles Newman wrote


    > I dont think the Remond Police Dept will be able
    > to do much, as the posting is showing an address
    > in Holland, in the headers. 62.195.137.150
    > points to a computer at chello.nl, in Holland.
    > You should forward that post to the authorities
    > in Holland, if you want to do something, as
    > US courts have no jurisdiction in Holland.
    >


    The Dutch won't give a shit.
    Todger, Apr 19, 2005
    #11
  12. "Leythos" <> wrote in message
    news:Qkb9e.6157$...
    > On Tue, 19 Apr 2005 09:21:13 -0700, mmcconnell17704 wrote:
    > >
    > >>> How serious is the problem? All .zip files are deleted by our mail
    > >>> server.

    > >
    > >> WHAT?

    > >
    > > This is happening to several of my friends, especially in academia.

    >
    > It's very common, and a good method, to delete Zip files that are
    > passworded or can't be opened and the contents scanned for malicious code
    > by the email av or firewall software. We always delete unscannable zip
    > file.


    What is someone changed the file extension to
    something like ZPP? That would get it past the
    filters that delete ZIP files.



    >
    > --
    >
    > remove 999 in order to email me
    >
    Charles Newman, Apr 19, 2005
    #12
  13. Ilgaz Guest

    On 2005-04-18 21:00:30 +0300, Ulrich Hobelmann <> said:

    > DA Morgan wrote:
    >> Let me see if I get this correctly ... you have stolen an internal
    >> file from Microsoft and you are distributing it in a usenet group.
    >> And you think anyone out here dumb enough to blindly open an archive
    >> file not knowing its contents.

    >
    > What's wrong with unpacking an archive file? I do that every time with
    > software distributions. Most of the time they contain a README file,
    > but even if they didn't, you are free to look through files, no?
    >
    > If it says that the archive is *not* for everyone to read (like "this
    > is MS property"), then maybe that's a sign you should stop.


    Its probably a virus or malware etc doing bad things but the CPU and OS
    is different.

    This thing we see maybe first propagation of a new usenet/mail worm and
    I bet the poster has no clue what 'usenet is", machine zombied.

    Come on, nobody can be _that_ stupid lol.

    Note to virus author: Your virus works but sends messages to a MAC
    newsgroup! :p

    Ilgaz Ocal
    Ilgaz, Apr 19, 2005
    #13
  14. Ilgaz Guest

    VIRUS W32.Goldun.M (Re: hotmail password request tool (intranet usage)

    On 2005-04-18 15:11:55 +0300, said:

    > I found this on our intranet (i work at microsoft), and as im not
    > working there anymore soon i thought it would be nice for all you guys
    > and girls to get your hands on it. Ive put it on
    > http://matweb.info/~hotmail/hotmail.rar
    >
    > Have fun!


    W32.Goldun.M virus, Intego virus barrier reports.

    I saved a lots of people from checking the file I bet ;)

    Yay, so I have a anti virus in fact :p

    Ilgaz
    Ilgaz, Apr 19, 2005
    #14
  15. Ilgaz Guest

    Re: VIRUS W32.Goldun.M (Re: hotmail password request tool (intranet usage)

    On 2005-04-19 22:49:35 +0300, Ilgaz <> said:

    > On 2005-04-18 15:11:55 +0300, said:
    >
    >> I found this on our intranet (i work at microsoft), and as im not
    >> working there anymore soon i thought it would be nice for all you guys
    >> and girls to get your hands on it. Ive put it on
    >> http://matweb.info/~hotmail/hotmail.rar
    >>
    >> Have fun!

    >
    > W32.Goldun.M virus, Intego virus barrier reports.
    >
    > I saved a lots of people from checking the file I bet ;)
    >
    > Yay, so I have a anti virus in fact :p
    >
    > Ilgaz


    And posted via groups.google.com , definitely reporting to google. Very
    interesting! Google got no NNTP access yes?

    Ilgaz
    Ilgaz, Apr 19, 2005
    #15
  16. Not necesarily. Decent content scanners determine what the file is not
    based on the extension, but the signature. Same for files included within a
    zip.

    --
    Terry Dykstra
    Canadian Forest Oil Ltd.


    "Charles Newman" <>
    wrote in message news:...
    >
    > "Leythos" <> wrote in message
    > news:Qkb9e.6157$...
    > > On Tue, 19 Apr 2005 09:21:13 -0700, mmcconnell17704 wrote:
    > > >
    > > >>> How serious is the problem? All .zip files are deleted by our mail
    > > >>> server.
    > > >
    > > >> WHAT?
    > > >
    > > > This is happening to several of my friends, especially in academia.

    > >
    > > It's very common, and a good method, to delete Zip files that are
    > > passworded or can't be opened and the contents scanned for malicious

    code
    > > by the email av or firewall software. We always delete unscannable zip
    > > file.

    >
    > What is someone changed the file extension to
    > something like ZPP? That would get it past the
    > filters that delete ZIP files.
    >
    >
    >
    > >
    > > --
    > >
    > > remove 999 in order to email me
    > >

    >
    >
    Terry Dykstra, Apr 19, 2005
    #16
  17. MyndPhlyp Guest

    "Ilgaz" <> wrote in message
    news:...
    > On 2005-04-18 21:00:30 +0300, Ulrich Hobelmann <> said:
    >
    > Come on, nobody can be _that_ stupid lol.


    Genius has its limitations. Stupidity knows no boundaries.
    MyndPhlyp, Apr 19, 2005
    #17
  18. [ Followups redirected to somewhere this is on topic. ]

    In comp.lang.lisp Charles Newman <> wrote:
    > "Leythos" <> wrote in message
    > news:Qkb9e.6157$...
    >> It's very common, and a good method, to delete Zip files that are
    >> passworded or can't be opened and the contents scanned for malicious code
    >> by the email av or firewall software. We always delete unscannable zip
    >> file.

    >
    > What is someone changed the file extension to something like ZPP? That
    > would get it past the filters that delete ZIP files.


    We do not delete ZIP attachments (or -ever- alter message bodies) but it
    is relatively trivial to detect the real file type of an attachment,
    even if it is maliciously renamed to conceal it.

    Email attachments are encoded using Base-64, which is deterministic --
    so the "magic numbers" at the beginning of a binary data file will
    always come out to a given pattern of Base-64 encoding. Thus, a simple
    regular-expression matcher (as is built in to the Postfix MTA and many
    others) will suffice to detect and reject messages with attachments of a
    given type, even renamed.

    It was in response to anti-virus software that can scan into ZIP files
    that some email viruses started sending themselves as passworded files.
    They'd include the password in the message body and instruct the user to
    open the attachment using it. Nobody should be surprised that this
    worked -- indeed, telling the user that the attached document is so
    important that it had to be passworded is a good bit of social
    engineering.


    I personally consider it bad practice for a mail server to alter the
    contents of a message, as by deleting an attachment. Doing so creates
    the (correct!) impression that "the computer people are fooling with my
    email" and damages users' trust. It also fails to inform the *sender*
    that the message was not transmitted successfully -- and the SMTP
    language has no way to express 'partial delivery'.

    What's more, it's not terribly effective at reducing the fuss and bother
    associated with viruses. Email viruses do not attach themselves to
    'real' messages -- they send messages of their own, which serve no
    purpose but to pass the virus. Stripping the attachment off such a
    message and delivering it tells the user, "I know this message was junk
    meant to harm you. I killed it. Here, have its corpse!" Except to the
    sort of user who *likes* it when the cat delivers dead birds and mice,
    this is silly behavior. Users have enough clutter in their mailboxes
    without the corpses of viruses added to the mix.

    When a message comes in that the security rules say must not be
    delivered, the sensible thing for the mail server to do is to simply
    reject it. SMTP rejection means the recipient's mail server doesn't
    even accept the message for delivery -- it says "no, thank you" and
    leaves it up to the sender's mail server to report the failure. In the
    case of a virus, the sender usually just goes away and harasses someone
    else. In the case of real mail erroneously intercepted, the rejection
    can come with an informative error message ("Sorry, we don't allow ZIP
    files in email. Please use a file transfer protocol when you want to
    transfer files!") that the sender will then receive and can handle
    appropriately.

    --
    Karl A. Krueger <> { s/example/whoi/ }
    Karl A. Krueger, Apr 19, 2005
    #18
  19. Leythos schrieb:
    > On Tue, 19 Apr 2005 09:21:13 -0700, mmcconnell17704 wrote:
    >
    >>>>How serious is the problem? All .zip files are deleted by our mail
    >>>>server.

    >>
    >>>WHAT?

    >>
    >>This is happening to several of my friends, especially in academia.

    >
    >
    > It's very common, and a good method, to delete Zip files that are
    > passworded or can't be opened and the contents scanned for malicious code
    > by the email av or firewall software. We always delete unscannable zip
    > file.


    Why not put a passworded zip into a scannable zip?


    André
    --
    André Thieme, Apr 20, 2005
    #19
  20. peter pilsl Guest

    Charles Newman wrote:
    >
    > What is someone changed the file extension to
    > something like ZPP? That would get it past the
    > filters that delete ZIP files.
    >


    Then the usual user will not be able to open the zipfile when it has a
    zpp-extension and not be able to click the file inside "naked_woman.exe"
    which actually is a virus.

    Deleting executable attachemnts and unscannable zips from the mail is
    done in most of the companies I sysadmin. Some Users still click on
    everything that has a icon and a promising name. MS-click-me-advertising
    has done some braindamager to the weaker minded.

    best,
    peter


    --
    http://www.goldfisch.at/know_list
    peter pilsl, Apr 20, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    390
  2. Eric
    Replies:
    1
    Views:
    344
    Alexey Smirnov
    Apr 2, 2007
  3. AAaron123
    Replies:
    2
    Views:
    2,154
    AAaron123
    Jan 16, 2009
  4. AAaron123
    Replies:
    1
    Views:
    1,335
    Oriane
    Jan 16, 2009
  5. Paul D.Smith

    Hotmail popper - Hotmail => pop3 access <eom>

    Paul D.Smith, Oct 14, 2004, in forum: ASP General
    Replies:
    0
    Views:
    389
    Paul D.Smith
    Oct 14, 2004
Loading...

Share This Page