Another MyDoom Variant
From the "what-wil-they-think-of-next" department, a MyDoom variant is making the rounds. The user receives a "returned email" notification. If they open an attachment to see the message "returned" to them, they get bit. Here is a link to an article about this attack.. I am also posting a sample I received. Addresses altered to protect the innocent.
Mail delivery failed: returning message to sender
Mail Delivery System <Mailer-Daemon@uniserve.com>
Yesterday 03:35:20 pm
Spam Status: Spamassassin 0% probability of being spam.
No, score=0.0 required=5.0 tests=none autolearn=ham version=3.1.1
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
SMTP error from remote mail server after end of data:
host pobox.sfu.ca [xxxxxxxxxxxx]: 550 5.7.1 illegal extension:
readme.zip. Please send as a zip file.
------ This is a copy of the message, including all the headers. ------
Received: from xxxxxxxxxxxxxx ([xxxxxxxxxxxx] helo=carolina.rr.com)
by xxxxxxxxxx with esmtp (Exim 4.60)
for firstname.lastname@example.org; Wed, 14 Jun 2006 12:35:03 -0700
Subject: Mail System Error - Returned Mail
Date: Wed, 14 Jun 2006 12:38:52 -0700
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Scanner: OK. Scanned.
X-Uniserve-Spam-Score: 3.3 33 (+++)
X-Uniserve-Spam-Report: Spam detection software, running on the system "mx8.uniserve.ca", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Dear user of sfu.ca, administration of sfu.ca would
like to inform you We have detected that your account was used to send
a large amount of spam during the recent week. We suspect that your
computer was compromised and now runs a trojan proxy server. [...]
Content analysis details: (3.3 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.3 NO_REAL_NAME From: does not include a real name
3.0 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
This is a multi-part message in MIME format.
Dear user of sfu.ca, administration of sfu.ca would like to inform you
We have detected that your account was used to send a large amount of spam during the recent week.
We suspect that your computer was compromised and now runs a trojan proxy server.
Please follow instruction in order to keep your computer safe.
Have a nice day,
sfu.ca technical support team.