Security Basics mailing list archives

RE: New Virus?

From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 28 Jun 2005 14:53:03 -0700

  Our Barracuda spam/virus firewall has been blocking these.
I think it's the latest Mytob installment, and Norton *should*
have a signature for it.

David Gillett

-----Original Message-----
From: Hamish Stanaway [mailto:koremeltdown () hotmail com]
Sent: Monday, June 27, 2005 3:42 PM
To: security-basics () securityfocus com
Subject: New Virus?

Hey there everyone,

I recieved a mysterious email this morning at 1728 GMT which 
had headers as 
follows:

Return-path: <hamish1 () voyager co nz>
Envelope-to: hamish1 () webhosting net nz
Delivery-date: Tue, 28 Jun 2005 05:22:44 +1200
Received: from [217.125.252.60] (helo=david.org)
      by fearless.absolutewebhosting.biz with smtp (Exim 4.24)
      id 1DmxJg-0003ou-Rg
      for hamish1 () webhosting net nz; Tue, 28 Jun 2005 05:22:41 +1200
Date: Mon, 27 Jun 2005 19:20:42 +0100
To: "Hamish" <hamish1 () webhosting net nz>
From: "Hamish" <hamish1 () voyager co nz>
Subject: The picture is sent on SMS
Message-ID: <pvkpnopcnwraqblcgfg () webhosting net nz>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="--------hukvuvgobciyuhmojdug"

-------------------- END SNIP-----------------------

As you can guess, I'm hamish1 () webhosting net nz.
This email contained no text, only an attachment called 
legs.zip, which 
Norton (fully updated to its' latest version and data files) 
did not detect 
any viruses in.
Within the legs.zip file there is a file called ds-rwe.exe - 
this again was 
not detected as a virus.
My girlfriend thought she would be smart and ran ds-rwe.exe, 
which gave me a 
memory overflow message for explorer.exe immidiately.
Does anyone have any idea of what this might be, and also if 
it is a virus 
that has already been identified? If not, I am willing to 
pass it through to 
someone to take a look at in its' zip format.
Otherwise if the effects cannot be reversed, I am afraid I 
will have to 
reformat this machine *sigh* NOT AGAIN :(
Have a great day everyone and thanks in advance for your help.

Kindest of regards,

Hamish Stanaway, CEO

Absolute Web Hosting / -= KoRe WoRkS =- Internet Security
Auckland, New Zealand

http://www.webhosting.net.nz
http://www.buywebhosting.co.nz
http://www.koreworks.com

Current thread:

New Virus? Hamish Stanaway (Jun 28)
- Re: New Virus? Paul Kurczaba (Jun 29)
- RE: New Virus? David Gillett (Jun 29)
- Re: New Virus? securityfocus (Jun 29)
- Re: New Virus? Ansgar -59cobalt- Wiechers (Jun 29)
- Re: New Virus? cc (Jun 29)
- Re: New Virus? Alan Apperson (Jun 29)
- Re: New Virus? Justin Gill (Jun 29)
- Re: New Virus? ChayoteMu (Jun 29)
- RE: New Virus? J.Ayoola (Jun 29)
  - RE: New Virus? Hamish Stanaway (Jun 30)
- <Possible follow-ups>
- RE: New Virus? Dan Denton (Jun 29)
- RE: New Virus? Hayden Searle (Jun 29)

(Thread continues...)