Can someone confirm what this is?

  • Thread starter Thread starter Henry Stock
  • Start date Start date
H

Henry Stock

I got about twenty messages like the two, whos message headers I extracted
below today. I believe they are carrying some sort of trojans. I do not
see Microsoft sending how unsolicited messages about patches with the
patches attached! And the addresses in this add to that belief. But these
messages are using Microsoft logos and attempting to mimic the Microsoft
site.

I would think Microsoft would not like this and might want examine this
stuff. It is not setting off any alarms by my antivirus software, but it is
insidious. I need to figure out what to do with this stuff.

Who can I forward it to?

Henry Stock, Network Administrator, onProject, Inc.
=========================================
Microsoft Mail Internet Headers Version 2.0
Received: from beta.fastwebnet.it ([213.140.2.43]) by mail.onproject.com
with Microsoft SMTPSVC(5.0.2195.5329);
Thu, 18 Sep 2003 17:28:17 -0400
Received: from jnntyca (23.255.182.73) by beta.fastwebnet.it (6.7.019)
id 3F69ECF100005D18; Thu, 18 Sep 2003 23:27:46 +0200
Date: Thu, 18 Sep 2003 23:27:46 +0200 (added by
(e-mail address removed))
Message-ID: <[email protected]> (added by
(e-mail address removed))
FROM: "MS Security Support" <[email protected]>
TO: "Client" < >
SUBJECT: Newest Network Critical Patch
X-ID: 7461267482876138697232
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="onixlgmgwbqzppi"
Return-Path: (e-mail address removed)
X-OriginalArrivalTime: 18 Sep 2003 21:28:17.0623 (UTC)
FILETIME=[C68B7E70:01C37E2B]

--onixlgmgwbqzppi
Content-Type: multipart/related; boundary="edzfrhoovxyxdkl";
type="multipart/alternative"

--edzfrhoovxyxdkl
Content-Type: multipart/alternative; boundary="grsvuarphiqcshbhp"

--grsvuarphiqcshbhp
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

--grsvuarphiqcshbhp
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable


--grsvuarphiqcshbhp--
--edzfrhoovxyxdkl
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-ID: <gvldobd>

--edzfrhoovxyxdkl
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-ID: <dguulav>


--edzfrhoovxyxdkl--
--onixlgmgwbqzppi
Content-Type: application/x-msdownload; name="Update785.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment


--onixlgmgwbqzppi--

======================================
Microsoft Mail Internet Headers Version 2.0
Received: from remt19.cluster1.charter.net ([209.225.8.29]) by
mail.onproject.com with Microsoft SMTPSVC(5.0.2195.5329);
Thu, 18 Sep 2003 20:59:40 -0400
Received: from [66.169.98.155] (HELO ltpi)
by remt19.cluster1.charter.net (CommuniGate Pro SMTP 4.0.6)
with SMTP id 161579137; Thu, 18 Sep 2003 20:57:53 -0400
FROM: "MS Program Security Division"
<[email protected]>
TO: "Microsoft Corporation Consumer" <[email protected]>
SUBJECT: New Security Update
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="ednwqamypiqekvfoy"
Date: Thu, 18 Sep 2003 20:57:54 -0400
Message-ID: <[email protected]>
Return-Path: (e-mail address removed)
X-OriginalArrivalTime: 19 Sep 2003 00:59:40.0411 (UTC)
FILETIME=[4E135CB0:01C37E49]

--ednwqamypiqekvfoy
Content-Type: multipart/related; boundary="byyjldmb";
type="multipart/alternative"

--byyjldmb
Content-Type: multipart/alternative; boundary="rjaehiujzmgnzidu"

--rjaehiujzmgnzidu
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

--rjaehiujzmgnzidu
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable


--rjaehiujzmgnzidu--
--byyjldmb
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-ID: <thwfnxo>

--byyjldmb
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-ID: <wehxueg>


--byyjldmb--
--ednwqamypiqekvfoy
Content-Type: application/x-msdownload; name="Q871433.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment


--ednwqamypiqekvfoy-

=======================================================
 
Yes, it's a virus. You don't need to forward it to anyone. This has been
around for a while and Microsoft knows about it.

Henry Stock said:
I got about twenty messages like the two, whos message headers I extracted
below today. I believe they are carrying some sort of trojans. I do not
see Microsoft sending how unsolicited messages about patches with the
patches attached! And the addresses in this add to that belief. But these
messages are using Microsoft logos and attempting to mimic the Microsoft
site.

I would think Microsoft would not like this and might want examine this
stuff. It is not setting off any alarms by my antivirus software, but it is
insidious. I need to figure out what to do with this stuff.

Who can I forward it to?

Henry Stock, Network Administrator, onProject, Inc.
=========================================
Microsoft Mail Internet Headers Version 2.0
Received: from beta.fastwebnet.it ([213.140.2.43]) by mail.onproject.com
with Microsoft SMTPSVC(5.0.2195.5329);
Thu, 18 Sep 2003 17:28:17 -0400
Received: from jnntyca (23.255.182.73) by beta.fastwebnet.it (6.7.019)
id 3F69ECF100005D18; Thu, 18 Sep 2003 23:27:46 +0200
Date: Thu, 18 Sep 2003 23:27:46 +0200 (added by
(e-mail address removed))
Message-ID: <[email protected]> (added by
(e-mail address removed))
FROM: "MS Security Support" <[email protected]>
TO: "Client" < >
SUBJECT: Newest Network Critical Patch
X-ID: 7461267482876138697232
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="onixlgmgwbqzppi"
Return-Path: (e-mail address removed)
X-OriginalArrivalTime: 18 Sep 2003 21:28:17.0623 (UTC)
FILETIME=[C68B7E70:01C37E2B]

--onixlgmgwbqzppi
Content-Type: multipart/related; boundary="edzfrhoovxyxdkl";
type="multipart/alternative"

--edzfrhoovxyxdkl
Content-Type: multipart/alternative; boundary="grsvuarphiqcshbhp"

--grsvuarphiqcshbhp
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

--grsvuarphiqcshbhp
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable


--grsvuarphiqcshbhp--
--edzfrhoovxyxdkl
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-ID: <gvldobd>

--edzfrhoovxyxdkl
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-ID: <dguulav>


--edzfrhoovxyxdkl--
--onixlgmgwbqzppi
Content-Type: application/x-msdownload; name="Update785.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment


--onixlgmgwbqzppi--

======================================
Microsoft Mail Internet Headers Version 2.0
Received: from remt19.cluster1.charter.net ([209.225.8.29]) by
mail.onproject.com with Microsoft SMTPSVC(5.0.2195.5329);
Thu, 18 Sep 2003 20:59:40 -0400
Received: from [66.169.98.155] (HELO ltpi)
by remt19.cluster1.charter.net (CommuniGate Pro SMTP 4.0.6)
with SMTP id 161579137; Thu, 18 Sep 2003 20:57:53 -0400
FROM: "MS Program Security Division"
<[email protected]>
TO: "Microsoft Corporation Consumer" <[email protected]>
SUBJECT: New Security Update
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="ednwqamypiqekvfoy"
Date: Thu, 18 Sep 2003 20:57:54 -0400
Message-ID: <[email protected]>
Return-Path: (e-mail address removed)
X-OriginalArrivalTime: 19 Sep 2003 00:59:40.0411 (UTC)
FILETIME=[4E135CB0:01C37E49]

--ednwqamypiqekvfoy
Content-Type: multipart/related; boundary="byyjldmb";
type="multipart/alternative"

--byyjldmb
Content-Type: multipart/alternative; boundary="rjaehiujzmgnzidu"

--rjaehiujzmgnzidu
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

--rjaehiujzmgnzidu
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable


--rjaehiujzmgnzidu--
--byyjldmb
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-ID: <thwfnxo>

--byyjldmb
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-ID: <wehxueg>


--byyjldmb--
--ednwqamypiqekvfoy
Content-Type: application/x-msdownload; name="Q871433.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment


--ednwqamypiqekvfoy-

=======================================================
--
Henry Stock, Network Administrator
onProject.com
3 Wing Drive
Cedar Knolls, NJ 07927-1006
Click to expand...
 
I get about 100 of these a day. They started when I first
posted a message on this board!!!! This may be a
coincidence but maybe a hacker is obtaining our e-mail
addresses off this community message board. Can someone
do that? Cheryl - I was reticent to give my address out
on this message again but it wouldn't send it unless I did.
-----Original Message-----
Yes, it's a virus. You don't need to forward it to anyone. This has been
around for a while and Microsoft knows about it.

Henry Stock said:
I got about twenty messages like the two, whos message headers I extracted
below today. I believe they are carrying some sort of trojans. I do not
see Microsoft sending how unsolicited messages about patches with the
patches attached! And the addresses in this add to
Click to expand...
that belief. But
these
messages are using Microsoft logos and attempting to mimic the Microsoft
site.

I would think Microsoft would not like this and might want examine this
stuff. It is not setting off any alarms by my
Click to expand...
antivirus software, but it
is
insidious. I need to figure out what to do with this stuff.

Who can I forward it to?

Henry Stock, Network Administrator, onProject, Inc.
=========================================
Microsoft Mail Internet Headers Version 2.0
Received: from beta.fastwebnet.it ([213.140.2.43]) by mail.onproject.com
with Microsoft SMTPSVC(5.0.2195.5329);
Thu, 18 Sep 2003 17:28:17 -0400
Received: from jnntyca (23.255.182.73) by beta.fastwebnet.it (6.7.019)
id 3F69ECF100005D18; Thu, 18 Sep 2003 23:27:46 +0200
Date: Thu, 18 Sep 2003 23:27:46 +0200 (added by
(e-mail address removed))
Message-ID: <[email protected]> (added by
(e-mail address removed))
FROM: "MS Security Support" <jqbztghqcoropr- (e-mail address removed)>
TO: "Client" < >
SUBJECT: Newest Network Critical Patch
X-ID: 7461267482876138697232
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="onixlgmgwbqzppi"
Return-Path: (e-mail address removed)
X-OriginalArrivalTime: 18 Sep 2003 21:28:17.0623 (UTC)
FILETIME=[C68B7E70:01C37E2B]

--onixlgmgwbqzppi
Content-Type: multipart/related; boundary="edzfrhoovxyxdkl";
type="multipart/alternative"

--edzfrhoovxyxdkl
Content-Type: multipart/alternative; boundary="grsvuarphiqcshbhp"

--grsvuarphiqcshbhp
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

--grsvuarphiqcshbhp
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable


--grsvuarphiqcshbhp--
--edzfrhoovxyxdkl
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-ID: <gvldobd>

--edzfrhoovxyxdkl
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-ID: <dguulav>


--edzfrhoovxyxdkl--
--onixlgmgwbqzppi
Content-Type: application/x-msdownload; name="Update785.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment


--onixlgmgwbqzppi--

======================================
Microsoft Mail Internet Headers Version 2.0
Received: from remt19.cluster1.charter.net ([209.225.8.29]) by
mail.onproject.com with Microsoft SMTPSVC (5.0.2195.5329);
Thu, 18 Sep 2003 20:59:40 -0400
Received: from [66.169.98.155] (HELO ltpi)
by remt19.cluster1.charter.net (CommuniGate Pro SMTP 4.0.6)
with SMTP id 161579137; Thu, 18 Sep 2003 20:57:53 - 0400
FROM: "MS Program Security Division"
<[email protected]>
TO: "Microsoft Corporation Consumer"
Click to expand...
SUBJECT: New Security Update
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="ednwqamypiqekvfoy"
Date: Thu, 18 Sep 2003 20:57:54 -0400
Message-ID: <auto- (e-mail address removed)1.charter.net>
Return-Path: (e-mail address removed)
X-OriginalArrivalTime: 19 Sep 2003 00:59:40.0411 (UTC)
FILETIME=[4E135CB0:01C37E49]

--ednwqamypiqekvfoy
Content-Type: multipart/related; boundary="byyjldmb";
type="multipart/alternative"

--byyjldmb
Content-Type: multipart/alternative; boundary="rjaehiujzmgnzidu"

--rjaehiujzmgnzidu
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

--rjaehiujzmgnzidu
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable


--rjaehiujzmgnzidu--
--byyjldmb
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-ID: <thwfnxo>

--byyjldmb
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-ID: <wehxueg>


--byyjldmb--
--ednwqamypiqekvfoy
Content-Type: application/x-msdownload; name="Q871433.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment


--ednwqamypiqekvfoy-

=======================================================
--
Henry Stock, Network Administrator
onProject.com
3 Wing Drive
Cedar Knolls, NJ 07927-1006
Click to expand...


.
Click to expand...
 
Back
Top