[WSIS CS-Plenary] Trojan on our list!!

Adam Peake ajp at glocom.ac.jp
Fri Feb 11 12:59:09 GMT 2005


Carlos, thank you.

Karen and I are list moderators.  The list if not 
open to automatic subscriptions.

Main task of moderators is clearing spam that's 
caught for approval (and approving the occasional 
genuine message that for some reason gets caught.)

I am pretty sure the message from 
rafa_2004 at terra.com.br that made it to the list 
was not one either Karen or I approved, but oddly 
the address is also not subscribed. But 3 or 4 
message from that address were caught for 
moderators and I rejected them.

Apologies for any problems this has caused.

Adam





>People, it seems our list is open to automatic 
>registration, which allows for spamming bots to 
>penetrate it.
>
>This phishing originates from a USA ISP named 
>Interland (abuse at interland.com), but is linked 
>to a gang in Brazil, as the site containing the 
>trojan is www.guiasaiadatoca.com.br (its 
>Brazilian ISP has already blocked access to the 
>site).
>
>For the ones interested, full identification 
>details as available on whois servers are in the 
>attached text file.
>
>I am notifying the USA ISP, with no hope to get 
>a response, as usual. Also notifying the 
>Brazilian Internet security group 
>(www.nbso.nic.br), who do act.
>
>Oh, yes, and please use GNU/Linux to avoid bad 
>consequences of these attacks :)
>
>fraternal rgds
>
>--c.a.
>
>Rui Correia wrote:
>
>>Dear All
>>
>>Posting from rafa_2004 at terra.com.br 
>><mailto:rafa_2004 at terra.com.br> that appeared 
>>on this list with subject ³lembra de mim?² is 
>>spam, urging users to click on the link to view 
>>his (Rafael Dante¹s) photo. From a google 
>>search, I found out that the link takes you to 
>>a page where a trigger downloads 
>>PSW.Banker.11.0, which is a Trojan that 
>>captures bank account numbers and passwords. 
>>The google search turned up 19 different 
>>versions of Rafael supposedly wanting to 
>>organise a reunion with his old friends, hence 
>>the photo, Œso you can be sure it is the right 
>>person¹!!!.
>>
>>O poste de rafa_2004 at terra.com.br 
>><mailto:rafa_2004 at terra.com.br> que circulou 
>>nests lista com o subject ³lembra de mim?² eh 
>>spam, encorajando listeiros a accionarem o link 
>>para ver a foto dele (do Rafael Dante). Depois 
>>de uma busca no google, descobri que quem 
>>accionar o link vai ser levado para uma página 
>>que propõe o download do PSW.Banker.11.O, um 
>>trojan que captura números e senhas de contas 
>>bancárias e os envia para o autor do programa 
>>malicioso. No google aparecem 19 versoes deste 
>>truque, pedindo que vejam a foto Œpara poderem 
>>saber se eh a pessoa certa¹!!!
>>
>>Rui
>>
>>________________________________________________
>>
>>
>>Rui Correia
>>Advocacy, Media and Language Consultant
>>36 Finch St,
>>Ontdekkers Park, Roodepoort,
>>Johannesburg, South Africa
>>Tel/ Fax (+27-11) 766-4336
>>Cell (+27) (0) 83-368-1214
>>
>>-----Original Message-----
>>*From:* plenary-admin at wsis-cs.org 
>>[mailto:plenary-admin at wsis-cs.org] *On Behalf 
>>Of *rafa_2004 at terra.com.br
>>*Sent:* 11 February 2005 06:29
>>*To:* plenary at wsis-cs.org
>>*Subject:* [WSIS CS-Plenary] lembra de mim?
>>*Importance:* High
>>
>>Ola, tudo bem?
>>
>>Meu nome é Rafael, e sem querer achei o seu 
>>email, meu amigo me disse que esse era o seu 
>>email, não tenho certeza se é voce mesmo que 
>>estudou comigo no colégio e gostaria de fazer 
>>uma festa de reencontro do pessoal todo, seria 
>>legal reencontrar a turma toda, alguns morreram 
>>infelizmente, mas eu estou tentando entrar em 
>>contato com o maior numero de amigos possiveis 
>>daquela época, e estou te convidando para ir a 
>>esta festa, gostaria muito de reencontra-lo.
>>
>>Para não haver engano eu tenho uma foto minha, 
>>se me reeconhecer por favor entre em contato, 
>>estou um pouco diferente do que aquela época, 
>>mais acho que da para se lembrar de mim.
>>
>>Minha foto --> 
>>http://www.fee.unicamp.br/docentes/fotos/rafael.jpg 
>><http://www.guiasaiadatoca.com.br/images/rafael.scr>
>>
>>Se não for voce realmente, por favor 
>>desconsidere este email, e desculpe pelo 
>>incomodo.
>>
>>Atenciosamente Rafael Dante.
>>
>>_______________________________________________ 
>>Plenary mailing list Plenary at wsis-cs.org 
>>http://mailman.greennet.org.uk/mailman/listinfo/plenary
>
>
>--
>++++++++++++++++++++++++++++++++++++++++++++++++
>Carlos Afonso
>diretor de planejamento
>Rede de Informações para o Terceiro Setor - Rits
>Rua Guilhermina Guinle, 272, 6º andar - Botafogo
>Rio de Janeiro RJ - Brasil         CEP 22270-060
>tel +55-21-2527-5494        fax +55-21-2527-5460
>ca at rits.org.br            http://www.rits.org.br
>++++++++++++++++++++++++++++++++++++++++++++++++
>
>
>
>1. Full source of the message as received by a Rits mailserver:
>===============================================================
>
>>From - Fri Feb 11 08:28:00 2005
>X-Account-Key: account1
>X-UIDL: MD50000186498:MSG:5652:29691890:3069820560
>X-Mozilla-Status: 0001
>X-Mozilla-Status2: 00000000
>Return-path: <plenary-admin at wsis-cs.org>
>Received: from seven.gn.apc.org (greennet2.poptel.org.uk [213.55.2.207])
>	by rits.org.br (rits.org.br [200.198.184.110])
>	(MDaemon.PRO.v7.1.1.R)
>	with ESMTP id md50000050134.msg
>	for <ca at rits.org.br>; Fri, 11 Feb 2005 02:32:34 -0200
>X-MDSPF-Result: (none)
>Received-SPF: none (rits.org.br: plenary-admin at wsis-cs.org does not
>	designate permitted sender hosts)
>	x-spf-client=MDaemon.PRO.v7.1.1.R
>	receiver=rits.org.br
>	client-ip=213.55.2.207
>	envelope-from=<plenary-admin at wsis-cs.org>
>	helo=seven.gn.apc.org
>Received: from seven.gn.apc.org (localhost.localdomain [127.0.0.1])
>	by seven.gn.apc.org (Postfix) with ESMTP
>	id A6A333CA2; Fri, 11 Feb 2005 05:16:31 +0000 (GMT)
>Delivered-To: plenary at mailman.greennet.org.uk
>Received: from mail.gn.apc.org (greennet1.poptel.org.uk [213.55.2.205])
>	by seven.gn.apc.org (Postfix) with ESMTP id 6F3293BA3
>	for <plenary at mailman.greennet.org.uk>; 
>Fri, 11 Feb 2005 04:58:22 +0000 (GMT)
>Received: from localhost (unknown [192.168.0.2])
>	by mail.gn.apc.org (Postfix) with ESMTP id E917314B778
>	for <plenary at wsis-cs.org>; Fri, 11 Feb 2005 04:08:22 +0000 (GMT)
>Received: from ns3.webpor.net (unknown [216.150.18.18])
>	by mail.gn.apc.org (Postfix) with ESMTP id CA38714B6A5
>	for <plenary at wsis-cs.org>; Fri, 11 Feb 2005 04:08:21 +0000 (GMT)
>Received: (qmail 30246 invoked by uid 48); 11 Feb 2005 01:38:34 -0000
>Message-ID: <20050211013834.30245.qmail at ns3.webpor.net>
>To: plenary at wsis-cs.org
>From: rafa_2004 at terra.com.br
>content-type: text/html
>X-priority: 1
>Received: from inter.net
>Received: from dot.net
>X-Virus-Scanned: by amavisd-new at gn.apc.org
>Subject: [WSIS CS-Plenary] lembra de mim?
>Sender: plenary-admin at wsis-cs.org
>Errors-To: plenary-admin at wsis-cs.org
>X-BeenThere: plenary at wsis-cs.org
>X-Mailman-Version: 2.0.6
>Precedence: bulk
>Reply-To: plenary at wsis-cs.org
>List-Help: <mailto:plenary-request at wsis-cs.org?subject=help>
>List-Post: <mailto:plenary at wsis-cs.org>
>List-Subscribe: <http://mailman.greennet.org.uk/mailman/listinfo/plenary>,
>	<mailto:plenary-request at wsis-cs.org?subject=subscribe>
>List-Id: Virtual WSIS CS Plenary Group Space <plenary.wsis-cs.org>
>List-Unsubscribe: <http://mailman.greennet.org.uk/mailman/listinfo/plenary>,
>	<mailto:plenary-request at wsis-cs.org?subject=unsubscribe>
>List-Archive: <http://mailman.greennet.org.uk/public/plenary/>
>Date: 11 Feb 2005 01:38:34 -0000
>X-Lookup-Warning: MAIL lookup on 
>plenary-admin at wsis-cs.org does not match 
>213.55.2.207
>X-MDRcpt-To: ca at rits.org.br
>X-Rcpt-To: ca at rits.org.br
>X-MDRemoteIP: 213.55.2.207
>X-Return-Path: plenary-admin at wsis-cs.org
>X-MDaemon-Deliver-To: ca at rits.org.br
>X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11)
>X-Spam-Report:
>	*  0.2 NO_REAL_NAME From: does not include a real name
>	*  1.3 X_PRIORITY_HIGH Sent with 'X-Priority' set to high
>	*  1.0 FROM_ENDS_IN_NUMS From: ends in numbers
>	*  0.1 HTML_FONTCOLOR_RED BODY: HTML font color is red
>	*  0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
>	*  0.1 HTML_MESSAGE BODY: HTML included in message
>	* -4.0 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
>	*      [score: 0.0000]
>	*  0.6 MIME_HTML_NO_CHARSET RAW: Message text in HTML without charset
>	*  1.2 PRIORITY_NO_NAME Message has priority setting, but no X-Mailer
>	*  2.2 MIME_HEADER_CTYPE_ONLY 
>'Content-Type' found without required MIME 
>headers
>	*  0.7 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
>X-Spam-Status: No, hits=3.7 required=5.0 tests=BAYES_00,FROM_ENDS_IN_NUMS,
>	HTML_FONTCOLOR_RED,HTML_MESSAGE,MIME_HEADER_CTYPE_ONLY,
>	MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,MSGID_FROM_MTA_HEADER,
>	NO_REAL_NAME,PRIORITY_NO_NAME,X_PRIORITY_HIGH autolearn=no
>	version=2.63
>X-Spam-Level: ***
>X-Spam-Processed: rits.org.br, Fri, 11 Feb 2005 02:32:35 -0200
>X-MDAV-Processed: rits.org.br, Fri, 11 Feb 2005 02:32:35 -0200
>
>
>
>Ola, tudo bem?
>
>Meu nome é Rafael, e sem querer achei o seu 
>email, meu amigo me disse que esse era o seu 
>email, não tenho certeza se é voce mesmo que 
>estudou comigo no colégio e gostaria de fazer 
>uma festa de reencontro do pessoal todo, seria 
>legal reencontrar a turma toda, alguns morreram 
>infelizmente, mas eu estou tentando entrar em 
>contato com o maior numero de amigos possiveis 
>daquela época, e estou te convidando para ir a 
>esta festa, gostaria muito de reencontra-lo.
>
>Para não haver engano eu tenho uma foto minha, 
>se me reeconhecer por favor entre em contato, 
>estou um pouco diferente do que aquela época, 
>mais acho que da para se lembrar de mim.
>
>Minha foto --> 
><http://www.guiasaiadatoca.com.br/images/rafael.scr>http://www.fee.unicamp.br/docentes/fotos/rafael.jpg
>
>Se não for voce realmente, por favor 
>desconsidere este email, e desculpe pelo 
>incomodo.
>
>Atenciosamente Rafael Dante.
>
>
>
>_______________________________________________
>Plenary mailing list
>Plenary at wsis-cs.org
>http://mailman.greennet.org.uk/mailman/listinfo/plenary
>
>
>2. Identification of origin:
>============================
>
>whois.arin.net.
>Results:
>
>OrgName: Interland
>OrgID: INTD
>Address: 101 Marietta Street
>City: Atlanta
>StateProv: GA
>PostalCode: 30039
>Country: US
>
>NetRange: 216.150.0.0 - 216.150.31.255
>CIDR: 216.150.0.0/19
>NetName: HOSTCENTRIC-NETBLK-4
>NetHandle: NET-216-150-0-0-1
>Parent: NET-216-0-0-0-0
>NetType: Direct Allocation
>NameServer: NS.DIALTONEINTERNET.NET
>NameServer: NS2.DIALTONEINTERNET.NET
>Comment:
>RegDate:
>Updated: 2004-07-14
>
>OrgAbuseHandle: ABUSE579-ARIN
>OrgAbuseName: ABUSE
>OrgAbusePhone: +1-404-260-8434
>OrgAbuseEmail: abuse at interland.com
>
>OrgTechHandle: ASNAD3-ARIN
>OrgTechName: ASNADMIN
>OrgTechPhone: +1-404-260-8434
>OrgTechEmail: asnadmin at interland.com
>
># ARIN WHOIS database, last updated 2005-02-10 19:10
># Enter ? for additional hints on searching ARIN's WHOIS database.
>
>3. Holder of the Brazilian domain pertaining to the Web site involved:
>======================================================================
>
>% Copyright registro.br
>%  The data below is provided for information purposes
>%  and to assist persons in obtaining information about or
>%  related to domain name and IP number registrations
>%  By submitting a whois query, you agree to use this data
>%  only for lawful purposes.
>%  2005-02-11 09:04:14 (BRST -02:00)
>
>domínio:      GUIASAIADATOCA.COM.BR
>entidade:     Dacon Formaturas e Eventos LTDA
>documento:    003.273.690/0001-40
>responsável:  Manoel Carlos Gomes Chacon
>endereço:     Rua Sao Jose, 495,
>endereço:     12010-190 - Taubate - SP
>telefone:     (012) 2332656 []
>ID entidade:  AVV35
>ID admin:     LID14
>ID técnico:   AVV35
>ID cobrança:  AVV35
>servidor DNS: NS1.CYBERHOSTING.COM.BR 
>status DNS:   09/02/2005 AA
>último AA:    09/02/2005
>servidor DNS: NS2.CYBERHOSTING.COM.BR 
>status DNS:   09/02/2005 AA
>último AA:    09/02/2005
>criado:       09/09/2003 #1344102
>alterado:     07/12/2004
>status:       publicado
>
>ID:           AVV35
>nome:         Alexandre Vieira Vianna
>e-mail:       saiadatocajah at TERRA.COM.BR
>endereço:     Rua dos Carteiros, 57,
>endereço:     12511-030 - Guaratingueta - SP
>telefone:     (12) 3125-2270 []
>criado:       03/09/2003
>alterado:     07/12/2004
>
>ID:           LID14
>nome:         Licio Dacon
>e-mail:       webmagazine at IG.COM.BR
>endereço:     Av. JK, 77,
>endereço:     12366-000 - Sao Jose dos Pinhais - SP
>telefone:     (24) 5589623 []
>criado:       30/05/2000
>alterado:     15/02/2004
>
>remarks:     Security issues should also be addressed to
>remarks:     nbso at nic.br, http://www.nbso.nic.br/
>remarks:     Mail abuse issues should also be addressed to
>remarks:     mail-abuse at nic.br
>
>% whois.registro.br accepts only direct match queries.
>% Types of queries are: domains (.BR), BR POCs, CIDR blocks,
>% IP and AS numbers.
>
>4. ISP in Brazil which was hosting the website (cyberhosting.com.br):
>=====================================================================
>
>% Copyright registro.br
>%  The data below is provided for information purposes
>%  and to assist persons in obtaining information about or
>%  related to domain name and IP number registrations
>%  By submitting a whois query, you agree to use this data
>%  only for lawful purposes.
>%  2005-02-11 09:10:35 (BRST -02:00)
>
>domínio:      CYBERHOSTING.COM.BR
>entidade:     Cyber1 do Brasil Ltda.
>documento:    004.019.962/0001-43
>responsável:  Domingos José Ribeiro
>endereço:     Rua Coromandel, 47,
>endereço:     05088-010 - São Paulo - SP
>telefone:     (011) 36419291 []
>ID entidade:  DJR23
>ID admin:     DJR23
>ID técnico:   GDL42
>ID cobrança:  DJR23
>servidor DNS: NS1.CYBERHOSTING.COM.BR 200.155.3.130
>status DNS:   10/02/2005 AA
>último AA:    10/02/2005
>servidor DNS: NS2.CYBERHOSTING.COM.BR 200.155.3.131
>status DNS:   10/02/2005 AA
>último AA:    10/02/2005
>criado:       03/07/2003 #1269112
>alterado:     18/09/2004
>status:       publicado
>
>ID:           DJR23
>nome:         Domingos J. Ribeiro - Cyber1
>e-mail:       webmaster at CYBER1.COM.BR
>endereço:     Rua Coromandel, 47,
>endereço:     05088-010 - SÃO PAULO - SP
>telefone:     (11) 3641 9291 []
>criado:       22/06/2001
>alterado:     11/01/2005
>
>ID:           GDL42
>nome:         Ger. de Dominios Cyber1 do Brasil Ltda.
>e-mail:       webmaster at CYBER1.COM.BR
>endereço:     Rua Coromandel, 47,
>endereço:     05088-010 - São Paulo - SP
>telefone:     (11) 3641-9291 []
>criado:       16/08/2002
>alterado:     11/01/2005
>
>remarks:     Security issues should also be addressed to
>remarks:     nbso at nic.br, http://www.nbso.nic.br/
>remarks:     Mail abuse issues should also be addressed to
>remarks:     mail-abuse at nic.br
>
>% whois.registro.br accepts only direct match queries.
>% Types of queries are: domains (.BR), BR POCs, CIDR blocks,
>% IP and AS numbers.




More information about the Plenary mailing list