Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: new virus - myromeo

From: Justin Mason <jm () MAIL NETNOTEINC COM>
Date: Thu, 16 Nov 2000 18:03:01 +0000
Here's what Sophos have to say about it. BTW also check out Hybris,
another nasty worm seen in the wild; it has an upgrade-via-usenet
mechanism included, ouch ;)

  http://www.sophos.com/virusinfo/analyses/w32hybrisc.html

--j.

------- Forwarded Message

Date:    Thu, 16 Nov 2000 17:21:34 +0000
From:    Sophos Alert System <listmaster () sophos com>
To:      Undisclosed recipients: ;
Subject: Sophos Anti-Virus IDE alert: W32/Verona

Name: W32/Verona
Type: Win32 worm
Date: 16 November 2000

An IDE file that enables Sophos Anti-Virus versions 3.37 to 3.40
to detect this virus is available from the Sophos website.

It will be included in Sophos Anti-Virus version 3.41 and later.

Sophos has received several reports of this worm from the wild.

Description:

W32/Verona is an email-aware worm.

The worm arrives in an infected email, with two attached files:
MYJULIET.CHM and MYROMEO.EXE.

When the email is viewed using Microsoft Outlook the attachments
are automatically saved to c:\windows\temp and a script embedded
in the email body is run to view MYJULIET.CHM using the Windows
Help browser. This is turn causes MYROMEO.EXE to be executed.

The MYROMEO.EXE program attempts to use a list of six SMTP
servers to forward itself to addresses in your Microsoft Outlook
address book. The subject line of the email it sends is randomly
chosen from the following:

  "Romeo&Juliet"
  ":))))))"
  "hello world"
  "!!??!?!?"
  "subject"
  "ble bla, ble"
  "I Love You :)"
  "sorry..."
  "Hey you !"
  "Matrix has you..."
  "my picture"
  "from shake-beer"


Download the IDE file from
http://www.sophos.com/downloads/ide/verona.ide

Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32verona.html

Download a ZIP file containing all the IDE files available for
the current version of Sophos Anti-Virus from
http://www.sophos.com/downloads/ide/ides.zip

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

To unsubscribe from this service please visit
http://www.sophos.com/virusinfo/notifications




------- End of Forwarded Message
Previous By Date Next
Previous By Thread Next

Current thread: