What's going on?

Sun May 4 16:27:13 CEST 2003

Sigvald Grøsfjeld jr. wrote:

>Today I have recieved two strange mails from other Donaldist-friends. First
>a mail from Nils Lid Hjort, witch make no sense at all to me. Then there is
>the recent mail from Stefan Persson in where he responds to another
>pointless mail.
>
>So can anyone tell me what's going on?
>  
>
After sending that mail to DCML, I received a private answer from Søren:

 > Probably a virus. Please send it to me, I am sooo curious.

I checked then checked the e-mail size: 122 KiB.  So Søren seems to be 
right.  At first I assumed that it was just an ordinary mail sent from 
the DCML server, but this suggests otherwise.  Some headers:

From: dcml <dcml at stp.ling.uu.se>
To: reimersholme at hotmail.com
Subject: Your password
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary=O8224x0Nn1V8i1
Message-Id: <E19C9OY-0004wt-Pc at sc016pub.verizon.net>
Date: Sat, 03 May 2003 21:38:30 -0500

66.25.80.236 corresponds to cs662580-236.satx.rr.com, but that site does not seem to exist.  At least, the DCML server is not mentioned anywhere.  The message contains four parts:

Part 1:
--O8224x0Nn1V8i1
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:L79WR126Xs1 height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY></HTML>

Part 2:
--O8224x0Nn1V8i1
Content-Type: audio/x-wav;
	name=src.scr
Content-Transfer-Encoding: base64
Content-ID: <L79WR126Xs1>

[This is the virus.  I've left out the rest of it]

Part 3:
--O8224x0Nn1V8i1
[i.e. only a part delimiter in this part]

Part 4:
--O8224x0Nn1V8i1
Content-Type: application/octet-stream;
	name=exit[1].html
Content-Transfer-Encoding: base64
Content-ID: <L79WR126Xs1>

[Seems to be related to the virus.  The rest of this part has been left out.]

Part 5:
--O8224x0Nn1V8i1--
[again, only a part delimiter]

I doubt that it is possible to trace this message.

Stefan