Does anybody know where this Hoax came from?

  • Thread starter Thread starter Gabriele Neukam
  • Start date Start date
G

Gabriele Neukam

Someone (probably a recipient of the Sobig.F spewed by CAFE3 in Sweden)
thought that I had sent a worm to him/her, and "took revenge".

Quote:

""GOT YOU"

If you were dumb enough to open this email then you will find a WORM has
executed itself through your mailbox
and by the time you read this into your hard-drive. This is PAYBACK for
the Virus you disguised in the email you sent
to us recently which destroyed our hard-drive and back-up system. This
costs us thousands of dollars and we lost a lot
of irreplaceable files on our system."

Unquote.


I found this is a template from someone else. Googling revealed "Hoax"
database entries from Symantec and Trend Micro, but they only cited the
text, none could explain its origin.

There is an URL given inside, meant to fetch a gif file from somewhere
within Lycos France, but the picture is 404, probably for months. Also,
to my knowledge there is no way to "execute" a gif file, except OE is so
dumb and does the same to gif files, as it did in former times to
wrongly declared MIME headers.

This message would never have been able to "infect" me for two reasons,
as i don't use OE, but the HTML also doesn't show any malicious code. It
is only terribly munged, just like the work of a spammer. I don't know
if all messages are encrypted like this one, as no one ever has posted
the source of the message into any forum found by Google.


evocash is indirectly harrassed by that, too:
http://www.evocash.com/index.cfm?fuseaction=dsp_warning


Does anybody have an idea where this message template might have
originated? The sender didn't even notice that the gif file had
vanished, and obviously (s)he isn't mentally capable to make such a
thing up, crude as it may be.


The source was
------=_NextPart_005_0087_VCZGERXR.WDWBGJPS
Content-Type: text/plain;
charset="ISO-8859-1"
Content-Transfer-Encoding: 8 bit


------=_NextPart_005_0087_VCZGERXR.WDWBGJPS
Content-Type: text/html;
charset="ISO-8859-1"
Content-Transfer-Encoding: 8 bit
Click to expand...
nn2 said:
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>New<!--q7zZiss--> Pag<!--588-->e <!--VU6Wdd-->1</title>
</head> <!--2th6CC-->
<body> <!--i6wl2W22-->
<p>"GOT<!--hInn--> YOU<!--95Gw4V88-->"<br>
<br>
If you were dumb enough to open this email then you will find a WORM has executed itself through your mailbox&nbsp;<br>
and by the time you read this into your hard-drive. This is PAYBACK for the Virus you disguised in the email you sent&nbsp;<br>
to us recently which destroyed our hard-drive and back-up system. This costs us thousands of dollars and we lost a lot&nbsp;<br>
of<!--2TJjj--> irreplace<!--Hfduftt-->able <!--P44-->files <!--88-->on ou<!--GSxpkk-->r sy<!--OWtrBB-->stem.<br>
<br> Now<!--GG--> <!--X3GGG-->it's yo<!--1fOQMEE-->ur tur<!--GIyR8yy-->n t<!--4lipp-->o h<!--U3f66-->ave y<!--bwHkk-->our compu<!--Nbidd-->ter in<!--ze6F6paa-->fected. Thi<!--4oqq-->s <!--sKss-->WORM it<!--7ss--> <!--88-->is undetecta<!--88-->ble <!--OO-->by AntiViru<!--zWss-->s softwa<!--aAGBcKDD-->re and<!--EMPEdxKK--> <!--NC9GJncc-->it will&nbsp; <!--stMM-->drive yo<!--yJsQGG-->ur compu<!--LJYsmII-->ter cra
Click to expand...
Motherboard. This will proabably cost you a new computer and I sincerely hope this teaches you a lesson not to send people&nbsp;<br>
<!--xxvff-->nasty viru<!--x922-->ses ag<!--i3DOtlww-->ain.<br>
<br>
Evoc<!--ZqDD-->ash Admini<!--aaitJJ-->stration Inc.<!--3C33--><br>
Phone:<!--SxmPofcc--> <!--LL-->+1 7<!--iCvekyuu-->67 4499922<!--zbFQ1OO--><br>
Fax:<!--8WW--> <!--W11-->+1 76<!--OLnc22-->7 <!--n0K8PYY-->4499922<br>
</p>
<p><!--KpMWW-->
<br>
<b><!--8Zff31hh-->
<i>
----^+Start^=Auto^Execute<!--VyhXoo-->+^WORM^---------<br>
----^+Start^=Auto^Execute+^WORM<!--AAA-->^-------------<br>
----^+Start^=Auto^Execute+^WORM^-<!--LkMXwRff-->--------<br>
----^+Start<!--naa-->^=Auto^Execute+^WORM^---------<br>
----^+Start^=Auto<!--5moXVee-->^Execute+^WORM^---------<br>
</i>
Click to expand...
</b>
</p>
<p>
Click to expand...
<img border="0" src="http://[email protected]/lutinette/encyclo/serpent.gif" width="262" height="58"><!--VmqhJJ-->
<img border="0" src="http://[email protected]/lutinette/encyclo/serpent.gif" width="262" height="58">
Click to expand...
<img border="0" src="http://[email protected]/lutinette/encyclo/serpent.gif" width="262" height="58">
Click to expand...
<img border="0" src="http://[email protected]/lutinette/encyclo/serpent.gif" width="262" height="58">
Click to expand...
<img border="0" src="http://[email protected]/lutinette/encyclo/serpent.gif" width="262" height="58">
<!--CJ0aa--><img border="0" src="http://[email protected]/lutinette/encyclo/serpent.gif" width="262" height="58"><!--kucSS-->
<br>
<br>
</p> <!--zz-->
</body> <!--pp-->
</html>
------=_NextPart_005_0087_VCZGERXR.WDWBGJPS--
Click to expand...


Gabriele Neukam

(e-mail address removed)
 
Gabriele said:
Someone (probably a recipient of the Sobig.F spewed by CAFE3 in Sweden)
thought that I had sent a worm to him/her, and "took revenge".

Quote:

""GOT YOU"

If you were dumb enough to open this email then you will find a WORM has
executed itself through your mailbox
and by the time you read this into your hard-drive. This is PAYBACK for
the Virus you disguised in the email you sent
to us recently which destroyed our hard-drive and back-up system. This
costs us thousands of dollars and we lost a lot
of irreplaceable files on our system."

Unquote.

I found this is a template from someone else. Googling revealed "Hoax"
database entries from Symantec and Trend Micro, but they only cited the
text, none could explain its origin.

There is an URL given inside, meant to fetch a gif file from somewhere
within Lycos France, but the picture is 404, probably for months. Also,
to my knowledge there is no way to "execute" a gif file, except OE is so
dumb and does the same to gif files, as it did in former times to
wrongly declared MIME headers.

This message would never have been able to "infect" me for two reasons,
as i don't use OE, but the HTML also doesn't show any malicious code. It
is only terribly munged, just like the work of a spammer. I don't know
if all messages are encrypted like this one, as no one ever has posted
the source of the message into any forum found by Google.

evocash is indirectly harrassed by that, too:
http://www.evocash.com/index.cfm?fuseaction=dsp_warning

Does anybody have an idea where this message template might have
originated? The sender didn't even notice that the gif file had
vanished, and obviously (s)he isn't mentally capable to make such a
thing up, crude as it may be.

The source was









Gabriele Neukam

(e-mail address removed)
Click to expand...

Looksee at thread "Watch out for vigilantees"

--J
Replies to: jNpolak(at)Ojuno(dot)Tcom
 
src="http://[email protected]/
%6c%75%74%69%6e%65%74%74%65/%65%6e%63%79%63%6c%6f/%73%65%72%70%65%6e%74.%67%
69%66" src="http://[email protected]/
%6c%75%74%69%6e%65%74%74%65/%65%6e%63%79%63%6c%6f/%73%65%72%70%65%6e%74.%67%
69%66" src="http://[email protected]/
%6c%75%74%69%6e%65%74%74%65/%65%6e%63%79%63%6c%6f/%73%65%72%70%65%6e%74.%67%
69%66" src="http://[email protected]/
%6c%75%74%69%6e%65%74%74%65/%65%6e%63%79%63%6c%6f/%73%65%72%70%65%6e%74.%67%
69%66" src="http://[email protected]/
%6c%75%74%69%6e%65%74%74%65/%65%6e%63%79%63%6c%6f/%73%65%72%70%65%6e%74.%67%
69%66" src="http://[email protected]/
%6c%75%74%69%6e%65%74%74%65/%65%6e%63%79%63%6c%6f/%73%65%72%70%65%6e%74.%67%
69%66"
Click to expand...

zzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzz
zzzzzzzzz.....................
--
There's More :-
Virus Alerts LIVE from Sophos !
M$ Latest News.
VirusNews from Central Command.
Latest Sophos Enews.
Computer Links. Links to the latest M$ Patches.
Laughs,Fun, Humour................
Also : Bush is Out of His Tree !!!
at http://tinyurl.com/fks4
 
Back
Top