Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on New Horizons in spam and virii ~ "new price"

From: David Farber <dave () farber net>
Date: Mon, 09 Aug 2004 18:01:35 -0400


Begin forwarded message:

From: Dan Updegrove <updegrove () mail utexas edu>
Date: August 9, 2004 5:45:51 PM EDT
To: dave () farber net
Subject: Re: [IP] New Horizons in spam and virii ~ "new price"

 Dave,
McAfee identifies "new price" as W32/Bagle.AQ@MM, a mass-mailing worm, which 

- contains its own SMTP engine to construct outgoing messages
 - harvests email addresses from the victim machine
 - the From: address of messages is spoofed
 - attachment is a zip file, which contains an EXE and HTML file
 - contains a remote access component (notification is sent to hacker)
- copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc) 

 Useful write-up at

<http://vil.nai.com/vil/content/v_127423.htm>.

 Regards,
 Dan


 At 04:32 PM 8/9/2004, you wrote:



Begin forwarded message:

 From: hal () halstucker com
 Date: August 9, 2004 5:15:43 PM EDT
 To: dave () farber net
 Subject: Re: [IP] New Horizons in spam and virii


(P.S. -- I've also gotten several copies of an unidentified
 virus that says "new price" - the payload has the name
 price.zip or price2.zip.)

 I also got the price.zip file -- it contains two files, one
 called price.exe and one called price.html.  Checked with the
 folks at CERT and they said they've only had reports on the
 virus in the last couple of days and they're examining a
 sample that was sent to them.  They're still not sure what it
 does but said the html file seems to be some sort of
 javascript that actitvates the .exe file.  Couldln't find
 anything about it doing a general Google search or a Google
 search on both the F-Prot and TrendMicro sites.

 If anyone has any more info on this particular bit of
 mischief, I'd be interested to hear it.


 VP  for Information Technology          Phone (512) 232-9610
 The University of Texas at Austin       Fax (512) 232-9607
 FAC 248 (Mail code: G9800)              d.updegrove () its utexas edu
P.O. Box 7407                                   http://wnt.utexas.edu/~danu/ 
 Austin, TX 78713-7407

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: