Educause Security Discussion mailing list archives
Re: Novarg.A signature
From: RLVaughn <Randy_Vaughn () BAYLOR EDU>
Date: Wed, 28 Jan 2004 15:59:03 -0600
Hello Cam, Any luck on variant B? Wednesday, January 28, 2004, 12:35:22 AM, you wrote: ---------
E-mail admins / IDS analysts:
This following is a highly accurate Novarg.A signature:
----------------------------------- wrapped for AVscanner's digestion -----------------------------------
ApIAUCZKAEAD/bJpmiwQBPQl6AEAS85pmm7ZH 8gqwAO4sKimaZqmoJiQiICapmmaeHBoYFhQzWCf
It has been tested it on several thousand pieces of Novarg.A infected e-mail and has not yet exhibited any collateral damage.
One caveat is that there does seem to be another variant of Novarg that writes the infected EXE into a ZIP file that is not auto-extracting.. The above signature does NOT work in this particular case, but I'm only seeing one of these for every 5000 or so self-executing Novarg.As..
~cam.
Cam Beasley Information Security Office The University of Texas at Austin cam () mail utexas edu --------------------------- Report Abuse To: - abuse () utexas edu - 512.475.9242 ---------------------------
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
--------- Best regards, Randal Vaughn Professor Baylor University mailto:Randy_Vaughn () Baylor edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Novarg.A signature Cam Beasley, ISO (Jan 27)
- <Possible follow-ups>
- Re: Novarg.A signature RLVaughn (Jan 28)