Interesting virus - anyone know what this one is called and what it's payload does? Haven't seen this one before today... It attaches a zip file with a password containing an executable. (No worries, I've not run it, and only extracted it on a SPARC machine, so it can't use buffer overflows designed for intel in unzip -- if any exist.) I've seen several of these from various cypherpunk nodes, and initially thought someone was attacking cypherpunks nodes again... So what it is likely grabbing the domian name and capitalizing the first letter and inserting "The" and "team." around it to make it look like it's from the ISP... It's also using various random reasons (mailbox is full, spamming, account about to expire, account abuse, can't go out with you tonight, have to wash hamster's hair, etc.) Interesting that a virus would use an encrypted ZIP file. Of course it does a dumb thing in terms of "security purposes" of sending the password with the attachment. Certainly that isn't something a security wise person would do, *BUT* the true purpose of this ploy is likely an attempt for it to get past virus scanners which demime/unzip files through multiple layers, and would be able to detect the attachment is malware. So this thing is probably carrying code to ZIP+encrypt files as well as MIME and possibly it's own SMTP client... Pretty amazing for a 12K binary... Well, not really. :) I guess I'm used to seeing bloatware like Office 2000 - oh, yeah, forgot, MSFT products are virii.. :-D Many, many, years ago, I recall there were polymorphic virii which encrypted their main body, but used various methods to build the extractor such that you (as an antivirus writer) couldn't easily get signatures from the extractor portion. I believe they used permutations of opcodes which did the same thing under x86, but enough random combinations to prevent getting a useful virus signature. It probably won't be long before we'll start seeing those again in modern virii... Certainly email virus scanners shouldn't allow .EXE - even if inside of .ZIP archives anyway, but it's still interesting to see how the evil virus writers find new ways to push their crud on the "If it's got dancing nude hippos, I'll click on it gladly, safety be damned" sheeple. Now it's just exploiting the "I'll obey any instruction from any so called authority if you throw in the magic word 'reasons of security' in it." What's really funny to me personally is that at my last job we were asked to send self decrypting PGP EXE's that contained the actual data to clients who didn't have PGP, and wouldn't know it from a hole in a wall. We'd then tell them the (usually lame) password over the phone. If any of those clients receive one of these, I can absolutely guarantee that they'll open it and spread this evil crap. A virus pretending to be administration@minder.net wrote:

For security reasons attached file is password protected. The password is "10361".

Kind regards, The Minder.net team http://www.minder.net