[REN-ISAC] ALERT: .EDU-targeted virus

[Doug Pearson <dodpears () INDIANA EDU>]

The following was shared by SANS ISC[1] Handlers. We'll follow-up with
more information as it becomes available.

Doug Pearson
PGP: http://mypage.iu.edu/~dodpears/dodpears_pubkey.asc
Research and Education Networking ISAC
24x7 Watch Desk: +1(317)278-6630, ren-isac () iu edu
http://www.ren-isac.net
to join REN-ISAC, visit http://ren-isac.net/registry.html

--------------------------------------------------------------------------

This was submitted by a user who wished to remain anonymous.

> > Today we've seen several incidents of what appears to be a .edu targeted
> > piece of malware.
> >
> > The payload is contained in the attachment Photo_+_Article.zip .
> > virusscan.jotti.org has a poor hitrate on detection.
> >
> > The message body might be particularly convincing to the more prominent
> > members of a .edu (luckily I'm not) and follows:
> >
> >  Hello,
> >
> > We have been thinking of including you in the new campus magazine in an
> > article headed "Campus Life".  Can you approve the photo and article for
> > us before we go to printing please.
> >
> > If any details are wrong then we can amend before printing on Friday the
> > 28th of October so please get back to us as soon as possible.
> >
> > Many Thanks & Best Regards,
> >
> > J Chuang
> > Editor
> >
> > *******************************************************************************
> > Please respond before Wednesday 26th to ensure we have time to edit!
> > *******************************************************************************

> > FILE UPLOAD. Original File Name: Photo_+_Article.zip

>        We've bounced this one off to virustotal.  Hopefully the AV
> vendors will pick up on it quickly.
>        Thanks for the notice.

--------------------------------------------------------------------------

[1] http://isc.sans.org/