Avian Gamers Network

From: "Returned mail" <postmaster@swg-decor.com>
Date: Sat Aug 21, 2004 10:47:13 AM US/Central
To: user02@swg-decor.com
Subject: Returned mail: see transcript for details
Attachments: There is 1 attachment


Dear user of swg-decor.com,

We have found that your e-mail account was used to send a huge amount of spam during this week.
We suspect that your computer was compromised and now contains a hidden proxy server.

Please follow the instructions in order to keep your computer safe.

Virtually yours,
The swg-decor.com team.

root@www [~/rkhunter]# rkhunter

Rootkit Hunter 1.1.6, Copyright 2003-2004, Michael Boelen

Rootkit Hunter comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to redistribute it under the terms of the GNU General
Public License. See LICENSE for details.


Valid parameters:
--checkall (-c) : Check system
--createlogfile* : Create logfile
--cronjob : Run as cronjob (removes colored layout)
--display-logfile : Show logfile at end of the output
--help (-h) : Show this help
--nocolors* : Don't use colors for output
--report-mode* : Don't show uninteresting information for reports
--report-warnings-only* : Show only warnings (lesser output than --report-mode
,
more than --quiet)
--skip-application-check* : Don't run application version checks
--skip-keypress* : Don't wait after every test (non-interactive)
--quick* : Perform quick scan (instead of full scan)
--quiet* : Be quiet (only show warnings)
--update : Run update tool and check for database updates
--version : Show version and quit
--versioncheck : Check for latest version

--bindir <bindir>* : Use <bindir> instead of using default binaries
--configfile <file>* : Use different configuration file
--dbdir <dir>* : Use <dbdir> as database directory
--rootdir <rootdir>* : Use <rootdir> instead of / (slash at end)
--tmpdir <tempdir>* : Use <tempdir> as temporary directory

Explicit scan options:
--disable-md5-check* : Disable MD5 checks
--disable-passwd-check* : Disable passwd/group checks
--scan-knownbad-files* : Perform besides 'known good' check a 'known bad' che
ck

Multiple parameters are allowed
*) Parameter can only be used with other parameters

I have been getting 2-5 of these every few days now:


It comes with a Zip file attached.

Dear user {$t|of $T},{ {{M|m}ail {system|server} administrator|administration} of $T would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}

{We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week.
{We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server.

{Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe.

{{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day},
{$T {user |technical |}support team.|The $T {support |}team.}

By opening the zip file, you run the risk of infecting your system with the worm (if your OS is vulnerable)