Security Basics mailing list archives
RE: Worm.SCO.A
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Thu, 29 Jan 2004 10:00:16 -0800
Worm.SCO.A maps to Novarg (F-Secure), W32.Novarg.A@mm (Symantec), W32/Mydoom.a@MM, Win32.Mydoom.A (CA), Win32/Shimg (CA), WORM_MIMAIL.R (Trend). It is not a MIMAIL variant as Trend Micro suspected so AV DEF looking for MIMAIL and the ilk will miss the virii. I haven't received any Mydoom.B virii so I don't know what ClamAV will call that (Worm.SCO.B or Worm.MICROSOFT.A, whatever). Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: Hamish Stanaway [mailto:koremeltdown () hotmail com] Sent: Wednesday, January 28, 2004 2:05 AM To: Shawn Jackson; security-basics () securityfocus com Subject: RE: Worm.SCO.A Hi there, I just wanted to let Shawn and others know that you are not alone, I too have recieved several copies of this mail in the past 24 hours, and am beginning to wonder what it is. Kindest of regards, Hamish Stanaway Absolute Web Hosting Owner/Operator Auckland New Zealand http://www.webhosting.net.nz http://www.buywebhosting.co.nz
From: "Shawn Jackson" <sjackson () horizonusa com> To: <security-basics () securityfocus com> Subject: Worm.SCO.A Date: Mon, 26 Jan 2004 14:38:23 -0800 MIME-Version: 1.0 Received: from outgoing2.securityfocus.com ([205.206.231.26]) by mc8-f31.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Wed, 28 Jan
2004
00:55:31 -0800 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid 796F08F81A; Tue, 27 Jan 2004 10:41:15 -0700 (MST) Received: (qmail 26490 invoked from network); 26 Jan 2004 23:04:45
-0000
X-Message-Info: 6sSXyD95QpVARocLih1tSEi4bFjjlIQ9 Mailing-List: contact security-basics-help () securityfocus com; run by
ezmlm
Precedence: bulk List-Id: <security-basics.list-id.securityfocus.com> List-Post: <mailto:security-basics () securityfocus com> List-Help: <mailto:security-basics-help () securityfocus com> List-Unsubscribe:
<mailto:security-basics-unsubscribe () securityfocus com>
List-Subscribe: <mailto:security-basics-subscribe () securityfocus com> Delivered-To: mailing list security-basics () securityfocus com Delivered-To: moderator for security-basics () securityfocus com content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Message-ID: <EA4A7785EECF644493D88EB58A80992D8DFA9C () hzmail horizon lcl> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Worm.SCO.A Thread-Index: AcPkUphWt8utkfEfQyGl0VstP6ZDrwAAr/nwAAGI2jA= X-Virus-Scanned: HorizonUSA Mail Security System Return-Path: security-basics-return-26478-koremeltdown=hotmail.com () securityfocus com X-OriginalArrivalTime: 28 Jan 2004 08:55:31.0563 (UTC) FILETIME=[7C00ABB0:01C3E57C] Anyone else encountering this? I've just got hammered with a few
hundred of these in the last hour and a half and I can't quite discern what exactly the virii is. There doesn't seam to be a map from ClamAV virus naming format to any other. Anyone have a clue of what this virus
is? I looked at the quarantine, and it seamed to be just the virii
payload
and no content, file.pif.exe. I've also seen it as a file.zip, doc.zip,
document.zip, document.pif, rhn.scr, data.zip, message.zip, test.zip. There could be more, but I just don't have the time to check the payload on all the messages. -------------------AMAVIS REPORT------------------ A virus (Worm.SCO.A) was found. Two banned names (file.pif, .exe) were found. Scanner detecting a virus: Clam Antivirus-clamd The mail originated from: <ctccyc () aol com> According to the 'Received:' trace, the message originated at: aol.com (unknown [12.9.171.xxx]) The message WAS NOT delivered to: <xxx () horizonusa com>: 550 5.7.1 Message content rejected, id=28441-07 - VIRUS: Worm.SCO.A Virus scanner output: /var/amavisd/tmp/amavis-20040126T141220-28441/parts/part-00002: Worm.SCO.A FOUND The message has been quarantined as: /var/amavisd/quarantine/virus-20040126-141800-28441-07 ------------------------- BEGIN HEADERS ----------------------------- Return-Path: <xxxxx () aol com> Received: from aol.com (unknown [12.9.171.xxx]) by mta1.horizonusa.com (Postfix) with ESMTP id DFA572D8106 for <ted () horizonusa com>; Mon, 26 Jan 2004 14:17:59 -0800 (PST) From: xxxx () aol com To: xxx () horizonusa com Subject: Date: Mon, 26 Jan 2004 14:17:47 -0800 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0010_465EEF13.4CF1817C" X-Priority: 3 X-MSMail-Priority: Normal Message-Id: <20040126221759.DFA572D8106 () mta1 horizonusa com> -------------------------- END HEADERS ------------------------------ Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 ----------------------------------------------------------------------- ---- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
any
course! All of our class sizes are guaranteed to be 10 students or
less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention,
and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720
off
any course! -----------------------------------------------------------------------
-----
_________________________________________________________________ Find high-speed 'net deals - comparison-shop your local providers here. https://broadband.msn.com ------------------------------------------------------------------------ --- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Re: Worm.SCO.A, (continued)
- Re: Worm.SCO.A jamesworld (Jan 27)
- Token Authentication for Terminal Services erisk (Jan 28)
- Re: Worm.SCO.A Ricardo Oliva (Jan 28)
- Re: Worm.SCO.A Brian Keefer (Jan 28)
- Re: Worm.SCO.A Marcos E. Rodriguez (Jan 28)
- RE: Worm.SCO.A Reggie Jackson (Jan 28)
- RE: Worm.SCO.A Michael Bellears (Jan 28)
- RE: Worm.SCO.A Hamish Stanaway (Jan 28)
- RE: Worm.SCO.A Shawn Jackson (Jan 28)
- RE: Worm.SCO.A Jones, Steve (Jan 28)
- RE: Worm.SCO.A Shawn Jackson (Jan 29)
- Re: Worm.SCO.A jamesworld (Jan 27)