Black Viper
Black Viper
Mar 022004
 

Even though I touched on the thought of dumping my E-Mail address in my latest Rant, I have not done so. This should not be much of a surprise since I posted My E-Mail Address Rant only a few hours ago. However, just a couple of those hours ago, I started to get, yet again, a virus that no information is posted about (that I have found).

The techniques to try and get people to "open that attachment" and infect systems really makes me laugh! I touched on several in my Free Beer Rant, but the following E-Mail(s) look like a new strain as sarc.com has nothing about it (yet). I am going to say it here and again at the end of this news post:

Everyone, I beg of you, STOP OPENING E-MAIL ATTACHMENTS!!!

Here is a cut and paste from the source of the header, with minor modifications to protect the innocent as well as the guilty:

From – Tue Mar 02 22:49:35 2004
X-UIDL: UOSVJKZ.CNM306272A5
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
Received: from spooler by mail.blackviper.com (Mercury/32 v4.01a); 2 Mar 2004 20:24:13 -0800
X-Envelope-To: <BVEDIT: REMOVED MY ADDRESS>
Return-path: <BVEDIT: REMOVED SPOOFED ADDRESS>
Received: from BASEMENTDELL (<BVEDIT: REMOVED ACTUAL IP ADDRESS>) by BVEDIT: REMOVED MY EMAIL SERVERS NAME (Mercury/32 v4.01a) ID MG000340; 2 Mar 2004 20:24:02 -0800
Date: Tue, 02 Mar 2004 22:23:26 -0600
To: BVEDIT: REMOVED MY ADDRESS
Subject: Email account utilization warning.
From: management@blkviper.com
Message-ID: <uxiyxiekwqaljwgovss@blkviper.com>
MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="——–ijrpvnyimxgnxhemlxek"
———-ijrpvnyimxgnxhemlxek
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Now the actual readable text:

Dear user, the management of Blkviper.com mailing system wants to let you know that,

We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.

Further details can be obtained from attached file.

Kind regards, The Blkviper.com team
http://www.blackviper.com

The following is just a small snapshot of the attachment information:

Content-Type: application/octet-stream; name="Readme.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Readme.pif"

<BVEDIT: REMOVED BASE64 ENCODED VIRUS>

———-ijrpvnyimxgnxhemlxek–

Now, a few point to notice here:

  • The grammar is pathetic. Much worse than mine. Regardless, it "looks" like an E-Mail that is automatically generated with random sentences. It is not "really" obvious in the above text because I have my HTML editor set up to "not allow more than one space." Several extra spaces exist between "chunks of words" in the E-Mail that suggest randomized content. However, notice the comma at the end of sentence one? Big give away.
  • The "from" E-Mail address does not exist and never has.
  • The message ID of "uxiyxiekwqaljwgovss@blkviper.com" is not valid. I know this because the message ID format my E-Mail server actually does generate is located on the Received line: MG000340.

An E-Mail I received only six minutes later had exactly the same subject line "Email account utilization warning." and many similar qualities like the first sentence:

Dear user, the management of Blkviper.com mailing system wants to let you know that,

Your e-mail account has been temporary disabled because of unauthorized access. For further details see the attach.

For security reasons attached file is password protected. The password is "55885".

Have a good day,The Blkviper.com team
http://www.blackviper.com

An attachment, named "Document.zip" was there. Also, again, the "from" address it seems to be originating is not valid, but instead of "management@" it is "support@." The second one originates from a different IP address, however.

Pathetic. Absolutely pathetic. Everyone, I beg of you: STOP OPENING E-MAIL ATTACHMENTS!!!