Interesting email thread with passworded zip file

Tonight I was pulling email from the account I list in my sig (it's a
disposable account) and got two email's telling me that my email account
had been deactivated and that the details where in an attached Zip file.
One thing to note, the account still works fine. Both Zip files were
different names, but were sent from the same email server.

I called RR and they know nothing about it, I warned them and sent the
file to so they could be on the lookout for it too.

Now, I'm not anywhere stupid enough to open a passworded Zip file, and
not stupid enough to fall for this childish crap, but I thought I would
post this out there in case anyone else gets something like this:

Return-Path: <>
Received: from mx3.biz.rr.com ([192.168.201.29]) by fep05.biz.rr.com
(InterMail vM.5.01.03.06 201-253-122-118-106-20010523) with
ESMTP
id <. rr.com>
for <>; Tue, 2 Mar 2004 23:41:06 -0500
Received: from Hours (hours.micro.uiuc.edu [128.174.97.18])
by mx3.biz.rr.com (8.12.10/8.12.10) with SMTP id i234f5U4002896
for <>; Tue, 2 Mar 2004 23:41:05 -0500 (EST)
Date: Tue, 02 Mar 2004 22:42:21 -0600
To:
Subject: E-mail account security warning.
From:
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------xxlqmnigdawgslfadase"

Dear user of Rrohio.com gateway e-mail server,

Your e-mail account has been temporary disabled because of
unauthorized access.

Please, read the attach for further details.

Attached file protected with the password for security reasons.
Password is 01747.

Kind regards,
The Rrohio.com team
http://www.rrohio.com


--
--

(Remove 999 to reply to me)

Leythos

My ISP has already posted warnings, a virus/trojan for sure.

--

************************************************

g-w


"Leythos" <> wrote in message
news:...
> Tonight I was pulling email from the account I list in my sig (it's a
> disposable account) and got two email's telling me that my email account
> had been deactivated and that the details where in an attached Zip file.
> One thing to note, the account still works fine. Both Zip files were
> different names, but were sent from the same email server.
>
> I called RR and they know nothing about it, I warned them and sent the
> file to so they could be on the lookout for it too.
>
> Now, I'm not anywhere stupid enough to open a passworded Zip file, and
> not stupid enough to fall for this childish crap, but I thought I would
> post this out there in case anyone else gets something like this:
>
> Return-Path: <>
> Received: from mx3.biz.rr.com ([192.168.201.29]) by fep05.biz.rr.com
> (InterMail vM.5.01.03.06 201-253-122-118-106-20010523) with
> ESMTP
> id <. rr.com>
> for <>; Tue, 2 Mar 2004 23:41:06 -0500
> Received: from Hours (hours.micro.uiuc.edu [128.174.97.18])
> by mx3.biz.rr.com (8.12.10/8.12.10) with SMTP id i234f5U4002896
> for <>; Tue, 2 Mar 2004 23:41:05 -0500 (EST)
> Date: Tue, 02 Mar 2004 22:42:21 -0600
> To:
> Subject: E-mail account security warning.
> From:
> Message-ID: <>
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="--------xxlqmnigdawgslfadase"
>
> Dear user of Rrohio.com gateway e-mail server,
>
> Your e-mail account has been temporary disabled because of
> unauthorized access.
>
> Please, read the attach for further details.
>
> Attached file protected with the password for security reasons.
> Password is 01747.
>
> Kind regards,
> The Rrohio.com team
> http://www.rrohio.com
>
>
> --
> --
>
> (Remove 999 to reply to me)

kulm_nd

While still snuggled in a 'spider hole', Leythos <> scribbled:

>Tonight I was pulling email from the account I list in my sig (it's a
>disposable account) and got two email's telling me that my email account
>had been deactivated and that the details where in an attached Zip file.
>One thing to note, the account still works fine. Both Zip files were
>different names, but were sent from the same email server.

Those zip files contain a virus. Just delete them.






To reply by email, remove the XYZ.

Lumber Cartel (tinlc) #2063. Spam this account at your own risk.

This sig censored by the Office of Home and Land Insecurity....

Never anonymous Bud

Leythos wrote:

>I called RR and they know nothing about it, I warned them and sent the
>file to so they could be on the lookout for it too.

You may want to give the University of Illinois a heads-up as well.
I'm sure their IT staff would be interested to know that one of their
computers is potentially spreading malware.

Micheal Robert Zium

In article <>, mrozium@XSPAMX-
yahoo.com says...
> Leythos wrote:
>
> >I called RR and they know nothing about it, I warned them and sent the
> >file to so they could be on the lookout for it too.
>
> You may want to give the University of Illinois a heads-up as well.
> I'm sure their IT staff would be interested to know that one of their
> computers is potentially spreading malware.

I sent it to last night with full headers and the actual
email's.

--
--

(Remove 999 to reply to me)

Leythos

On Wed, 03 Mar 2004 05:02:12 GMT, Leythos <> wrote:

>Tonight I was pulling email from the account I list in my sig (it's a
>disposable account) and got two email's telling me that my email account
>had been deactivated and that the details where in an attached Zip file.
>One thing to note, the account still works fine. Both Zip files were
>different names, but were sent from the same email server.

Most likely W32/Bagle.j@MM - more info at:
http://vil.nai.com/vil/content/v_101071.htm

>I called RR and they know nothing about it,

No surprise there then

Jon

Jon Sturgeon

"Jon Sturgeon" <> wrote in message
news:...
> On Wed, 03 Mar 2004 05:02:12 GMT, Leythos <> wrote:
>
> Most likely W32/Bagle.j@MM - more info at:
> http://vil.nai.com/vil/content/v_101071.htm

Actually it's probably K. I got three of those myself today.

ShadowDragon

I've gotten tons of these, but it was quite obvious that it wasn't real. I
own several domain names, and I kept getting "Dear user of <domain> gateway
e-mail server" and messages signed as "The <domain> team"

I'm sure a shitload of people are falling for or freaking out about it
though.

"Leythos" <> wrote in message
news:...
> Tonight I was pulling email from the account I list in my sig (it's a
> disposable account) and got two email's telling me that my email account
> had been deactivated and that the details where in an attached Zip file.
> One thing to note, the account still works fine. Both Zip files were
> different names, but were sent from the same email server.
>
> I called RR and they know nothing about it, I warned them and sent the
> file to so they could be on the lookout for it too.
>
> Now, I'm not anywhere stupid enough to open a passworded Zip file, and
> not stupid enough to fall for this childish crap, but I thought I would
> post this out there in case anyone else gets something like this:
>
> Return-Path: <>
> Received: from mx3.biz.rr.com ([192.168.201.29]) by fep05.biz.rr.com
> (InterMail vM.5.01.03.06 201-253-122-118-106-20010523) with
> ESMTP
> id <. rr.com>
> for <>; Tue, 2 Mar 2004 23:41:06 -0500
> Received: from Hours (hours.micro.uiuc.edu [128.174.97.18])
> by mx3.biz.rr.com (8.12.10/8.12.10) with SMTP id i234f5U4002896
> for <>; Tue, 2 Mar 2004 23:41:05 -0500 (EST)
> Date: Tue, 02 Mar 2004 22:42:21 -0600
> To:
> Subject: E-mail account security warning.
> From:
> Message-ID: <>
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="--------xxlqmnigdawgslfadase"
>
> Dear user of Rrohio.com gateway e-mail server,
>
> Your e-mail account has been temporary disabled because of
> unauthorized access.
>
> Please, read the attach for further details.
>
> Attached file protected with the password for security reasons.
> Password is 01747.
>
> Kind regards,
> The Rrohio.com team
> http://www.rrohio.com
>
>
> --
> --
>
> (Remove 999 to reply to me)

Anthony Brant