You may have seen these posts. Well they are ALL the same and they are all Buzus/Steam
type password/data stealers.

http://www.virustotal.com/analisis/6...5998f6e4727dcd

a-squared 4.0.0.73 2009.01.08 Virus.Win32.Messen.L!IK
DrWeb 4.44.0.09170 2009.01.08 Trojan.Packed.407
Ikarus T3.1.1.45.0 2009.01.08 Virus.Win32.Messen.L
NOD32 3752 2009.01.08 probably a variant of Win32/PSWTool.NetPass.DF
ViRobot 2009.1.8.1550 2009.01.08 Dropper.Agent.511488

TCP Connection:
85.25.81.136:56539

FTP Connection:
85.25.81.136:21

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Thanks for the information.

A perfect example of why it's best to use only Plain Text in your email
or Newsgroup client.


"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:(E-Mail Removed)...
> You may have seen these posts. Well they are ALL the same and they are
> all Buzus/Steam
> type password/data stealers.
>
> http://www.virustotal.com/analisis/6...5998f6e4727dcd
>
> a-squared 4.0.0.73 2009.01.08 Virus.Win32.Messen.L!IK
> DrWeb 4.44.0.09170 2009.01.08 Trojan.Packed.407
> Ikarus T3.1.1.45.0 2009.01.08 Virus.Win32.Messen.L
> NOD32 3752 2009.01.08 probably a variant of Win32/PSWTool.NetPass.DF
> ViRobot 2009.1.8.1550 2009.01.08 Dropper.Agent.511488
>
> TCP Connection:
> 85.25.81.136:56539
>
> FTP Connection:
> 85.25.81.136:21
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

From: "R. McCarty" <PcEngWork-NoSpam_@mindspring.com>

| Thanks for the information.

| A perfect example of why it's best to use only Plain Text in your email
| or Newsgroup client.

In this case it was an yEncoded 8 part multi-part binary. Since it was broken into eight
parts, the first 7 parts exceeded Microsoft's maximum attachment posting size and thus
they were blocked from being posted directly to the Microsoft News Server. However the
8th part was small enough to get posted.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman wrote:

>You may have seen these posts.

Yep. I Plonked the idiot.

> Well they are ALL the same and they are all Buzus/Steam
>type password/data stealers.

Thanks for the heads-up.

--
Consider the daffodil. And while you're doing that,
I'll be over here, looking through your stuff. -Jack Handey

Em Quinta, 8 de Janeiro de 2009 23:14, David H. Lipman escreveu:

> You may have seen these posts. Well they are ALL the same and they are
> all Buzus/Steam type password/data stealers.
>
> http://www.virustotal.com/analisis/6...5998f6e4727dcd
>
> a-squared 4.0.0.73 2009.01.08 Virus.Win32.Messen.L!IK
> DrWeb 4.44.0.09170 2009.01.08 Trojan.Packed.407
> Ikarus T3.1.1.45.0 2009.01.08 Virus.Win32.Messen.L
> NOD32 3752 2009.01.08 probably a variant of Win32/PSWTool.NetPass.DF
> ViRobot 2009.1.8.1550 2009.01.08 Dropper.Agent.511488
>
> TCP Connection:
> 85.25.81.136:56539
>
> FTP Connection:
> 85.25.81.136:21
>

this guy doesn't even know how to spread a virus... a simple link directly
to the exe file (hosted on a server somewhere) would be more efective to do
the bullshit he intented.

Thanks, David.

John

David H. Lipman wrote:

> You may have seen these posts. Well they are ALL the same and they are all Buzus/Steam
> type password/data stealers.
>
> http://www.virustotal.com/analisis/6...5998f6e4727dcd
>
> a-squared 4.0.0.73 2009.01.08 Virus.Win32.Messen.L!IK
> DrWeb 4.44.0.09170 2009.01.08 Trojan.Packed.407
> Ikarus T3.1.1.45.0 2009.01.08 Virus.Win32.Messen.L
> NOD32 3752 2009.01.08 probably a variant of Win32/PSWTool.NetPass.DF
> ViRobot 2009.1.8.1550 2009.01.08 Dropper.Agent.511488
>
> TCP Connection:
> 85.25.81.136:56539
>
> FTP Connection:
> 85.25.81.136:21
>

David H. Lipman wrote:
> From: "R. McCarty" <PcEngWork-NoSpam_@mindspring.com>
>
>
> In this case it was an yEncoded 8 part multi-part binary. Since it was broken into eight
> parts, the first 7 parts exceeded Microsoft's maximum attachment posting size and thus
> they were blocked from being posted directly to the Microsoft News Server. However the
> 8th part was small enough to get posted.
>

Were they posted directly to the MS server, or just get passed along via
another server?

I on;y see the 8th part as well. Even if the whole thing would have
been download the newsreader would have to be set to reassemble them and
then execute the file. The latter wouldn't be possible on my Macbook.
Heh..

yEnc rocks!

I saw many more than that. Out of curiosity, I opened 2 or 3 of them with
Outlook Express. Both contains garbage text, pretty much like opening a
binary file with a text editor.

Could my PC be infected? My antivirus doesn't warn me. My wild guess is no.
I'm using WinXP with SP3 and post SP3 patches installed. The account I'm
using is a regular acct (not admin, not power user).

"Justin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> I on;y see the 8th part as well. Even if the whole thing would have been
> download the newsreader would have to be set to reassemble them and then
> execute the file. The latter wouldn't be possible on my Macbook. Heh..
>
> yEnc rocks!

From: "J S" <js at yahoo dot com>

| I saw many more than that. Out of curiosity, I opened 2 or 3 of them with
| Outlook Express. Both contains garbage text, pretty much like opening a
| binary file with a text editor.

| Could my PC be infected? My antivirus doesn't warn me. My wild guess is no.
| I'm using WinXP with SP3 and post SP3 patches installed. The account I'm
| using is a regular acct (not admin, not power user).

No, you couldn't be infected. You only saw a small part of the whole binary and you could
NOT have executed anything.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp