Security Incidents mailing list archives
Re: Internet worm from China
From: Talisker <Talisker () NETWORKINTRUSION CO UK>
Date: Fri, 9 Feb 2001 22:08:36 -0000
Derek Yeah I got much the same, trouble is 20 minutes later I feel like another one (Chinese takeaway humor) The executable is 8 characters all uppercase, different spelling etc usual Win32.hybris.B http://ca.com/virusinfo/encyclopedia/descriptions/hybris.htm to, from, subject and content all blank - not very imaginative packaging Andy http://www.networkintrusion.co.uk Talisker's Network Security Tools List Security Tools Notification http://groups.yahoo.com/group/security-tools/join ----- Original Message ----- From: "Derek Kwan [321844]" <Derek () KWAN CA> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Friday, February 09, 2001 5:51 AM Subject: Internet worm from China
Hello World, Tonight (while I am debugging m4-gnu.. see Bugtraq@securityfocus mailing list) I have received a piece of unusal e-mail.... It doesn't include a from line, and there is a EXE attachment. After I have done my work, I did a little research on this unusal e-mail and find out is a Internet worm (W32/Hybris.gen@M) seems to come from 211.99.253.95 (looks like is come from China.... Hummm.. I dunno anyone there... where the hack they get my e-mail address??). Here are the info about this internet worm (http://vil.nai.com/vil/virusChar.asp?virus_k=98873) So if you have received any mail that you can't tell where is it come from, don't execute the attachments.... (even if it is come from soneone you know, be caution..) Derek =-=-=-=-=-=-=-= Mail header Return-Path: <MAILER-DAEMON () KWAN ca> Received: from wang ([211.99.253.95]) by KWAN.ca (8.11.1/8.9.3) with SMTP id f191HTp23776 for <dkwan () KWAN ca>; Thu, 8 Feb 2001 20:17:31 -0500 Date: Thu, 8 Feb 2001 20:17:31 -0500 Message-Id: <200102090117.f191HTp23776 () KWAN ca> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--VEHQ74DIB81M7OXEJCXIZ" To: undisclosed-recipients:; Status: RO X-Status: X-Keywords: X-UID: 77 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 0dfd6e6ccadf2a7d370f0e660c373597 ----VEHQ74DIB81M7OXEJCXIZ Content-Type: text/plain; charset="us-ascii" ----VEHQ74DIB81M7OXEJCXIZ Content-Type: application/octet-stream; name="DCBBEMDC.EXE" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="DCBBEMDC.EXE" =-=-=-=-=-=-=-= Whois Search results for ' 211.99.253.95'... % Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html inetnum: 211.99.253.0 - 211.99.255.255 netname: ZHONGDIAN descr: an Office building include many descr: companies country: CN admin-c: JY74-AP tech-c: JY74-AP mnt-by: MAINT-CN-263 changed: zhx () 263 net cn 20000918 source: APNIC person: JIAN FENG YAN address: 15th Building 1st District of Xiao Huang Zhuang, address: District Dong Cheng, CHINA phone: +86-010-84287565 fax-no: +86-010-84286328 country: CN e-mail: zhx () 263 net cn nic-hdl: JY74-AP mnt-by: MAINT-CNNIC-AP changed: ipas () cnnic net cn 20000927 source: APNIC
Current thread:
- Internet worm from China Derek Kwan [321844] (Feb 10)
- Re: Internet worm from China Talisker (Feb 10)
- Re: Internet worm from China Jay D. Dyson (Feb 10)