[clue-admin] Virus and a Joe Job

Jed S. Baer thag at frii.com
Fri Feb 3 15:58:05 MST 2006 

I got a "bounce" message from Postfix, and it appears that maybe what's
happening it that somebody is sending out bogus CLUE membership e-mails,
in an attemtp to spread a piece of malware. I dunno what it is, because
unzip says it's a corrupted zip file.

The "vector" appears as originating from 216.145.68.23, and here are what
I think are the orginal headers:

Received: by clue.denver.co.us (Postfix)
	id 28AD8500C2; Fri,  3 Feb 2006 07:55:44 -0700 (MST)
Delivered-To: jccann at cluedenver.org
Received: from clue.denver.co.us (unknown [216.145.68.238])
	by clue.denver.co.us (Postfix) with ESMTP id 85DDD5008D
	for <president at clue.denver.co.us>; Fri,  3 Feb 2006 07:55:42 -0700 (MST)
From: webmaster at clue.denver.co.us
To: president at clue.denver.co.us
Subject: Members Support
Date: Fri, 3 Feb 2006 09:55:40 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0011_66FBB8D2.AD9C7579"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20060203145542.85DDD5008D at clue.denver.co.us>

The message body is:

html> 
<body> 
<BR><STRONG>Dear Clue Member, </STRONG><BR> 
<BR>We have temporarily suspended your email account
president at clue.denver.co.us.<BR> 
<BR>This might be due to either of the following reasons: <BR> 
<BR>1. A recent change in your personal information (i.e. change of
address).
<BR>2. Submiting invalid information during the initial sign up process.
<BR>3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
<BR>See the details to reactivate your Clue account. <BR>
<BR>Sincerely,The Clue Support Team <BR> 
<BR><BR><BR><BR><BR> 
<BR>+++ Attachment: No Virus (Clean) 
<BR>+++ Clue Antivirus - www.clue.denver.co.us 
</body> 
</html> 

And there's an attached zip file.

For the curious, I'll make the whole raw e-mail available for inspection,
once I can figure out why the gzipped file is triggering an error message
from my ISP on my website.

Mostly, I wonder how widespread this is. It's kinda tough to imagine a
spoof such as this going out as just your average type virus. I mean, why
the CLUE specific message?

jed
-- 
http://s88369986.onlinehome.us/freedomsight/
Key fingerprint = B027 FEFB 4281 CC72 67D1  4237 F2D0 D356 077A A30E
... it is poor civic hygiene to install technologies that could someday
facilitate a police state. -- Bruce Schneier
_______________________________________________
CLUE-admin mailing list
CLUE-admin at cluedenver.org
http://cluedenver.org/mailman/listinfo/clue-admin

More information about the clue-admin mailing list