Security Basics mailing list archives
RE: Worm.SCO.A
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Thu, 29 Jan 2004 10:00:16 -0800
Worm.SCO.A maps to Novarg (F-Secure), W32.Novarg.A@mm (Symantec),
W32/Mydoom.a@MM, Win32.Mydoom.A (CA), Win32/Shimg (CA), WORM_MIMAIL.R
(Trend). It is not a MIMAIL variant as Trend Micro suspected so AV DEF
looking for MIMAIL and the ilk will miss the virii. I haven't received
any Mydoom.B virii so I don't know what ClamAV will call that
(Worm.SCO.B or Worm.MICROSOFT.A, whatever).
Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
(800) 325-1199 x338
-----Original Message-----
From: Hamish Stanaway [mailto:koremeltdown () hotmail com]
Sent: Wednesday, January 28, 2004 2:05 AM
To: Shawn Jackson; security-basics () securityfocus com
Subject: RE: Worm.SCO.A
Hi there,
I just wanted to let Shawn and others know that you are not alone, I too
have recieved several copies of this mail in the past 24 hours, and am
beginning to wonder what it is.
Kindest of regards,
Hamish Stanaway
Absolute Web Hosting
Owner/Operator
Auckland
New Zealand
http://www.webhosting.net.nz
http://www.buywebhosting.co.nz
From: "Shawn Jackson" <sjackson () horizonusa com> To: <security-basics () securityfocus com> Subject: Worm.SCO.A Date: Mon, 26 Jan 2004 14:38:23 -0800 MIME-Version: 1.0 Received: from outgoing2.securityfocus.com ([205.206.231.26]) by mc8-f31.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Wed, 28 Jan
2004
00:55:31 -0800 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid 796F08F81A; Tue, 27 Jan 2004 10:41:15 -0700 (MST) Received: (qmail 26490 invoked from network); 26 Jan 2004 23:04:45
-0000
X-Message-Info: 6sSXyD95QpVARocLih1tSEi4bFjjlIQ9 Mailing-List: contact security-basics-help () securityfocus com; run by
ezmlm
Precedence: bulk List-Id: <security-basics.list-id.securityfocus.com> List-Post: <mailto:security-basics () securityfocus com> List-Help: <mailto:security-basics-help () securityfocus com> List-Unsubscribe:
<mailto:security-basics-unsubscribe () securityfocus com>
List-Subscribe: <mailto:security-basics-subscribe () securityfocus com> Delivered-To: mailing list security-basics () securityfocus com Delivered-To: moderator for security-basics () securityfocus com content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Message-ID: <EA4A7785EECF644493D88EB58A80992D8DFA9C () hzmail horizon lcl> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Worm.SCO.A Thread-Index: AcPkUphWt8utkfEfQyGl0VstP6ZDrwAAr/nwAAGI2jA= X-Virus-Scanned: HorizonUSA Mail Security System Return-Path: security-basics-return-26478-koremeltdown=hotmail.com () securityfocus com X-OriginalArrivalTime: 28 Jan 2004 08:55:31.0563 (UTC) FILETIME=[7C00ABB0:01C3E57C] Anyone else encountering this? I've just got hammered with a few
hundred of these in the last hour and a half and I can't quite discern what exactly the virii is. There doesn't seam to be a map from ClamAV virus naming format to any other. Anyone have a clue of what this virus
is?
I looked at the quarantine, and it seamed to be just the virii
payload
and no content, file.pif.exe. I've also seen it as a file.zip, doc.zip,
document.zip, document.pif, rhn.scr, data.zip, message.zip, test.zip.
There could be more, but I just don't have the time to check the
payload on all the messages.
-------------------AMAVIS REPORT------------------
A virus (Worm.SCO.A) was found.
Two banned names (file.pif, .exe) were found.
Scanner detecting a virus: Clam Antivirus-clamd
The mail originated from: <ctccyc () aol com>
According to the 'Received:' trace, the message originated at:
aol.com (unknown [12.9.171.xxx])
The message WAS NOT delivered to:
<xxx () horizonusa com>:
550 5.7.1 Message content rejected, id=28441-07 - VIRUS: Worm.SCO.A
Virus scanner output:
/var/amavisd/tmp/amavis-20040126T141220-28441/parts/part-00002:
Worm.SCO.A FOUND
The message has been quarantined as:
/var/amavisd/quarantine/virus-20040126-141800-28441-07
------------------------- BEGIN HEADERS -----------------------------
Return-Path: <xxxxx () aol com>
Received: from aol.com (unknown [12.9.171.xxx])
by mta1.horizonusa.com (Postfix) with ESMTP id DFA572D8106
for <ted () horizonusa com>; Mon, 26 Jan 2004 14:17:59 -0800 (PST)
From: xxxx () aol com
To: xxx () horizonusa com
Subject:
Date: Mon, 26 Jan 2004 14:17:47 -0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0010_465EEF13.4CF1817C"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040126221759.DFA572D8106 () mta1 horizonusa com>
-------------------------- END HEADERS ------------------------------
Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
(800) 325-1199 x338
-----------------------------------------------------------------------
----
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
any
course! All of our class sizes are guaranteed to be 10 students or
less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention,
and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720
off
any course! -----------------------------------------------------------------------
-----
_________________________________________________________________ Find high-speed 'net deals - comparison-shop your local providers here. https://broadband.msn.com ------------------------------------------------------------------------ --- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Re: Worm.SCO.A, (continued)
- Re: Worm.SCO.A jamesworld (Jan 27)
- Token Authentication for Terminal Services erisk (Jan 28)
- Re: Worm.SCO.A Ricardo Oliva (Jan 28)
- Re: Worm.SCO.A Brian Keefer (Jan 28)
- Re: Worm.SCO.A Marcos E. Rodriguez (Jan 28)
- RE: Worm.SCO.A Reggie Jackson (Jan 28)
- RE: Worm.SCO.A Michael Bellears (Jan 28)
- RE: Worm.SCO.A Hamish Stanaway (Jan 28)
- RE: Worm.SCO.A Shawn Jackson (Jan 28)
- RE: Worm.SCO.A Jones, Steve (Jan 28)
- RE: Worm.SCO.A Shawn Jackson (Jan 29)
- Re: Worm.SCO.A jamesworld (Jan 27)