Re: FirstClass installations an exploit target?

[James H Moore <jhmfa () RIT EDU>]

It looks like a Mytob or Botob variant, but  "rit.edu" is conspicuously
absent. The report that we have is from a FirstClass user.   My guess is
that someone has found a way to fingerprint the FirstClass application,
and is has created a worm with that target.  

Jim

- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax)



"We will have a chance when we are as efficient at communicating
information security best practices, as hackers and criminals are at
sharing attack information"  - Peter Presidio






-----Original Message-----
From: Valdis Kletnieks [mailto:Valdis.Kletnieks () VT EDU] 
Sent: Tuesday, April 04, 2006 2:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PS: [SECURITY] FirstClass installations an
exploit target?

On Tue, 04 Apr 2006 13:37:04 EDT, James H Moore said:

> I should have mentioned that it carries an attachment
> important-details.zip which our spam/virus gateway stripped before it
> got to FirstClass.

Not a FirstClass issue at all, I suspect.  It's one of the many worm
variants
that say the "Your <victim.domain> account was used to send spam", to
entice
you to open the .zip (which is the malware/worm payload).

We can tell when a new variant has popped up that we don't have filters
for,
because we get stuff signed 'The vt.edu admin team' that we didn't send.
;)