RE: Worm.SCO.A

["Reggie Jackson" <rjacksonlists () flamingdragon net>]

I belive that worm is the same as W32.Novarg.A@mm since that work DDOS's
www.sco.com starting feb 1.

--Reggie 
-- IRC = Network irc.ugc.net 
            Channel #ug or #linux
            Nick Shivan_
-- Yahoo = jacksonr123
-- AIM = jacksonr123
-- ICQ = 43593443

-----Original Message-----
From: Shawn Jackson [mailto:sjackson () horizonusa com] 
Sent: Monday, January 26, 2004 4:38 PM
To: security-basics () securityfocus com
Subject: Worm.SCO.A


        Anyone else encountering this? I've just got hammered with a few
hundred of these in the last hour and a half and I can't quite discern what
exactly the virii is. There doesn't seam to be a map from ClamAV virus
naming format to any other. Anyone have a clue of what this virus is?

        I looked at the quarantine, and it seamed to be just the virii
payload and no content, file.pif.exe. I've also seen it as a file.zip,
doc.zip, document.zip, document.pif, rhn.scr, data.zip, message.zip,
test.zip. There could be more, but I just don't have the time to check the
payload on all the messages.

-------------------AMAVIS REPORT------------------ A virus (Worm.SCO.A) was
found.

Two banned names (file.pif, .exe) were found.

Scanner detecting a virus: Clam Antivirus-clamd

The mail originated from: <ctccyc () aol com>

According to the 'Received:' trace, the message originated at:
   aol.com (unknown [12.9.171.xxx])      

The message WAS NOT delivered to:
<xxx () horizonusa com>:
   550 5.7.1 Message content rejected, id=28441-07 - VIRUS: Worm.SCO.A

Virus scanner output:
   /var/amavisd/tmp/amavis-20040126T141220-28441/parts/part-00002:
Worm.SCO.A FOUND

The message has been quarantined as:
   /var/amavisd/quarantine/virus-20040126-141800-28441-07

------------------------- BEGIN HEADERS -----------------------------
Return-Path: <xxxxx () aol com>
Received: from aol.com (unknown [12.9.171.xxx])
        by mta1.horizonusa.com (Postfix) with ESMTP id DFA572D8106
        for <ted () horizonusa com>; Mon, 26 Jan 2004 14:17:59 -0800 (PST)
From: xxxx () aol com
To: xxx () horizonusa com
Subject: 
Date: Mon, 26 Jan 2004 14:17:47 -0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0010_465EEF13.4CF1817C"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040126221759.DFA572D8106 () mta1 horizonusa com>
-------------------------- END HEADERS ------------------------------

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
             (800) 325-1199 x338

---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!  
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------