nanog mailing list archives
Re: Worm probes
From: "Bill Larson" <blarson () compu net>
Date: Tue, 18 Sep 2001 12:06:18 -0500
It is worse than that. The virus is passing it's self off as audio/x-wav; ----- Original Message ----- From: "Jim Seymour" Newsgroups: spamcop.geeks Sent: Tuesday, September 18, 2001 11:10 AM Subject: New Virus/Worm Email
I just received an interesting email. It made it past my virus filters,
but a
report on the NTBugTraq mailing list is reporting it as some kind of
unknown
worm that attacks IIS machines. The message itself uses an attachment with a content type of audio/x-wav,
but
with a name of "readme.exe". I've got the security settings tightened
down, but
even so, Outlook Express asked me whether I wanted to open the embedded attachment. Here is the email that I received (without the encoded attachment, of
course).
Note the long Subject line and the HTML iframe that refers to local
content.
Keep you eye on this one... -- Jim Seymour ----------------------------------------------------------------------- Received: from TGLNT (mail.tricongroup.com [206.206.91.131]) by
mail.cipher.com
with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id SVNKL1PC; Tue, 18 Sep 2001 08:15:28 -0700 From: <3dzvi51gehej () 4ax com> Subject:
Xtoprecvranalyzerdiskstrreadmec2supprttablecoltoprecvraps32analyzerdefaultus ergr
pcinforccidbutilappevent MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --====_ABC1234567890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_====" --====_ABC0987654321DEF_==== Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff> <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0> </iframe></BODY></HTML> --====_ABC0987654321DEF_====-- --====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="readme.exe" Content-Transfer-Encoding: base64 Content-ID: <EA4DMGBP9p>
Current thread:
- Re: Worm probes, (continued)
- Re: Worm probes Bryan Heitman (Sep 18)
- Re: Worm probes Valdis . Kletnieks (Sep 18)
- Re: Worm probes Eric Gauthier (Sep 18)
- Re: Worm probes.. Looking for captures. Michael Airhart (Sep 18)
- Re: Worm probes Chris Grout (Sep 18)
- Re: Worm probes ravi pina (Sep 18)
- RE: Worm probes Mark Radabaugh - Amplex (Sep 18)
- RE: Worm probes Mark Radabaugh - Amplex (Sep 18)
- RE: Worm probes Tim Winders (Sep 18)
- Re: Worm probes Jared Mauch (Sep 18)
- Re: Worm probes Bill Larson (Sep 18)
- Re: Worm probes Christopher X. Candreva (Sep 18)
- Re: Worm probes Bill Larson (Sep 18)
- Re: Worm probes sigma (Sep 18)
- Re: Worm probes Valdis . Kletnieks (Sep 18)
- RE: Worm probes Eric Germann (Sep 18)
- Re: Worm probes Ulf Zimmermann (Sep 18)
- Re: Worm probes k claffy (Sep 18)
- Re: Worm probes Joe Abley (Sep 18)