Brepibot and variants

[Steve Brukbacher <sab2 () UWM EDU>]

Hello,
Just wanted to make people aware of this:
http://isc.sans.org/diary.php?storyid=1075
It appears this virus was especially targeted at
universities:
We've seen some activity of this on our campus network both Friday and
Today.

The one we got Friday was W32/Brepibot.gen.  Our campus announcement
about this is here:
https://www3.uwm.edu/imt/security/alerts/news_details.cfm?item_id=761
McAfee 4684 caught this as did CLAM AV.  From our testing this only
seemed to work on Server 2003.  Couldn't get it to run on an XP box.

Note sample message bodies below my sig.

No infections yet that we're aware of.

--
Steve Brukbacher
University of Wisconsin Milwaukee
Information Security Coordinator
UWM Computer Security Web Site
www.security.uwm.edu
Phone: 414.229.2224


"Hello,

We are planning to include you in the new campus magazine in an article
titled "Campus Life".  Can you approve the photo and article for
+us before we go to printing please?

If any details are wrong then we can amend before printing on Wednesday
the 1st of February so please get back to us as soon as possible.
+We have attached the photo and article.

Many Thanks & Best Regards,

Joseph Hope
Editor"



 "Hello,

During the early morning of January 25 2006, a campus student was the
victim of a horrific sexual assault within college grounds.
+Eyewitnesses report a tall black man in grey pants running away from
the scene.  Campus CCTV has caught this man on camera and are
+looking for ways to identify him.  If anyone recognises the attached
picture could they inform administraion immediatly


Regards,

Robert Atkins
Campus Administration"


One attachment was an .exe and the other was a zipped attachment
containing an .exe