Security Basics mailing list archives
RE: Worm.SCO.A
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Wed, 28 Jan 2004 08:06:38 -0800
According to this (http://www.math.org.il/newworm-digest1.txt) the worm is supposed to die on Feb 12th 2004. A theory is that the DDoS attack against SCO was just a plant, and not part of 'actual' operations on the worm, i.e. to throw someone off while working on the worm. Its primary function, besides spreading, seams to be the accepting a file transfer on port 3127 then running it. Doesn't seam like a 'normal' spammer virii tactic as some seam to be suggesting. I haven't had time myself to pour through the assembly of the worm and am going off the assembly provided in the document above. But they seam to point out the bits and bytes pretty well. Shawn -----Original Message----- From: jamesworld () intelligencia com [mailto:jamesworld () intelligencia com] Sent: Tuesday, January 27, 2004 4:23 PM To: Shawn Jackson Cc: security-basics () securityfocus com Subject: Re: Worm.SCO.A Same as MyDoom Check www.pandasoftware.com www.nai.com etc.... Payload has already been decoded and report is at above sites. -James At 16:38 01/26/2004, you wrote:
Anyone else encountering this? I've just got hammered with a
few
hundred of these in the last hour and a half and I can't quite discern
what exactly the virii is. There doesn't seam to be a map from ClamAV
virus naming format to any other. Anyone have a clue of what this virus
is?
I looked at the quarantine, and it seamed to be just the virii
payload and no content, file.pif.exe. I've also seen it as a file.zip,
doc.zip, document.zip, document.pif, rhn.scr, data.zip, message.zip,
test.zip. There could be more, but I just don't have the time to check
the payload on all the messages.
-------------------AMAVIS REPORT------------------
A virus (Worm.SCO.A) was found.
Two banned names (file.pif, .exe) were found.
Scanner detecting a virus: Clam Antivirus-clamd
The mail originated from: <ctccyc () aol com>
According to the 'Received:' trace, the message originated at:
aol.com (unknown [12.9.171.xxx])
The message WAS NOT delivered to:
<xxx () horizonusa com>:
550 5.7.1 Message content rejected, id=28441-07 - VIRUS: Worm.SCO.A
Virus scanner output:
/var/amavisd/tmp/amavis-20040126T141220-28441/parts/part-00002:
Worm.SCO.A FOUND
The message has been quarantined as:
/var/amavisd/quarantine/virus-20040126-141800-28441-07
------------------------- BEGIN HEADERS -----------------------------
Return-Path: <xxxxx () aol com>
Received: from aol.com (unknown [12.9.171.xxx])
by mta1.horizonusa.com (Postfix) with ESMTP id DFA572D8106
for <ted () horizonusa com>; Mon, 26 Jan 2004 14:17:59 -0800
(PST)
From: xxxx () aol com
To: xxx () horizonusa com
Subject:
Date: Mon, 26 Jan 2004 14:17:47 -0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0010_465EEF13.4CF1817C"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040126221759.DFA572D8106 () mta1 horizonusa com>
-------------------------- END HEADERS ------------------------------
Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
(800) 325-1199 x338
-----------------------------------------------------------------------
----
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
any
course! All of our class sizes are guaranteed to be 10 students or
less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention,
and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720
off
any course! -----------------------------------------------------------------------
----- ------------------------------------------------------------------------ --- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Worm.SCO.A Shawn Jackson (Jan 27)
- Re: Worm.SCO.A jamesworld (Jan 27)
- Token Authentication for Terminal Services erisk (Jan 28)
- Re: Worm.SCO.A Ricardo Oliva (Jan 28)
- Re: Worm.SCO.A Brian Keefer (Jan 28)
- Re: Worm.SCO.A Marcos E. Rodriguez (Jan 28)
- RE: Worm.SCO.A Reggie Jackson (Jan 28)
- <Possible follow-ups>
- RE: Worm.SCO.A Michael Bellears (Jan 28)
- RE: Worm.SCO.A Hamish Stanaway (Jan 28)
- RE: Worm.SCO.A Shawn Jackson (Jan 28)
- RE: Worm.SCO.A Jones, Steve (Jan 28)
- RE: Worm.SCO.A Shawn Jackson (Jan 29)
- Re: Worm.SCO.A jamesworld (Jan 27)