Re: Virus? Trojan?

["Peter Kruse" <kruse () railroad dk>]

Hi David,

That would be Yaha-K. This new variant is spreading
heavily in Holland. Earlier today McAfee opgraded the
worm to a medium risk:
http://vil.nai.com/vil/content/v_99918.htm

There are many subject lines/Message bodies/Attachment 
names that W32/Yaha.k may use.

It's very likely spreading because of problems with the invalid 
MIME formatting of some of the Yaha.k mails. The worm is
known to be able to pass through mailsweeper v4.2x.

Kind regards
Peter Kruse
Securityconsultant
http://www.krusesecurity.dk


----- Original Message ----- 
From: "David Gillett" <gillettdavid () fhda edu>
To: "'Incidents List'" <incidents () securityfocus com>
Sent: Monday, December 30, 2002 11:03 PM
Subject: Virus? Trojan?


>   So far today, I've received two email messages from
>
> kbl-zrz2519.zeelandnet.nl [62.238.233.233]
>
> which, apparently, claimed in its HELO message to *be*
> our local MX (which of course was who it was talking TO).
> Sounds to me like a bug in the sending software.
>
>   The other thing these messages had in common was a 
> 33KB .scr ("screen saver") executable attachment.
> Norton doesn't recognize this as a known threat, but
> I don't want to be the first to learn the hard way what
> it does.
>
>   MAYBE this is just ill-conceived and poorly-written 
> spam.  Maybe it's something more serious.  Anybody know
> one way or the other?
>
> David Gillett
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com