Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Internet worm from China

From: Talisker <Talisker () NETWORKINTRUSION CO UK>
Date: Fri, 9 Feb 2001 22:08:36 -0000
Derek

Yeah I got much the same, trouble is 20 minutes later I feel like another
one (Chinese takeaway humor)

The executable is 8 characters all uppercase, different spelling etc usual
Win32.hybris.B
http://ca.com/virusinfo/encyclopedia/descriptions/hybris.htm
to, from, subject and content all blank - not very imaginative packaging

Andy
http://www.networkintrusion.co.uk
Talisker's Network Security Tools List

Security Tools Notification
http://groups.yahoo.com/group/security-tools/join
----- Original Message -----
From: "Derek Kwan [321844]" <Derek () KWAN CA>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Friday, February 09, 2001 5:51 AM
Subject: Internet worm from China



Hello World,

 Tonight (while I am debugging m4-gnu.. see Bugtraq@securityfocus
mailing list) I have received a piece of unusal e-mail.... It doesn't
include a from line, and there is a EXE attachment.

  After I have done my work, I did a little research on this unusal
e-mail and find out is a Internet worm (W32/Hybris.gen@M) seems to come
from 211.99.253.95 (looks like is come from China.... Hummm.. I dunno
anyone there... where the hack they get my e-mail address??). Here are
the info about this internet worm
(http://vil.nai.com/vil/virusChar.asp?virus_k=98873)

  So if you have received any mail that you can't tell where is it come
from, don't execute the attachments.... (even if it is come from soneone
you know, be caution..)

Derek
=-=-=-=-=-=-=-=
Mail header
Return-Path: <MAILER-DAEMON () KWAN ca>
Received: from wang ([211.99.253.95])
        by KWAN.ca (8.11.1/8.9.3) with SMTP id f191HTp23776
        for <dkwan () KWAN ca>; Thu, 8 Feb 2001 20:17:31 -0500
Date: Thu, 8 Feb 2001 20:17:31 -0500
Message-Id: <200102090117.f191HTp23776 () KWAN ca>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VEHQ74DIB81M7OXEJCXIZ"
To: undisclosed-recipients:;
Status: RO
X-Status:
X-Keywords:
X-UID: 77
X-Mozilla-Status: 8001
X-Mozilla-Status2: 00000000
X-UIDL: 0dfd6e6ccadf2a7d370f0e660c373597

----VEHQ74DIB81M7OXEJCXIZ
Content-Type: text/plain; charset="us-ascii"



----VEHQ74DIB81M7OXEJCXIZ
Content-Type: application/octet-stream; name="DCBBEMDC.EXE"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="DCBBEMDC.EXE"


=-=-=-=-=-=-=-=
Whois Search results for ' 211.99.253.95'...

          % Rights restricted by copyright. See
http://www.apnic.net/db/dbcopyright.html

          inetnum:     211.99.253.0 - 211.99.255.255
          netname:     ZHONGDIAN
          descr:       an Office building include many
          descr:       companies
          country:     CN
          admin-c:     JY74-AP
          tech-c:      JY74-AP
          mnt-by:      MAINT-CN-263
          changed:     zhx () 263 net cn 20000918
          source:      APNIC

          person:      JIAN FENG YAN
          address:     15th Building 1st District of Xiao Huang Zhuang,
          address:     District Dong Cheng, CHINA
          phone:       +86-010-84287565
          fax-no:      +86-010-84286328
          country:     CN
          e-mail:      zhx () 263 net cn
          nic-hdl:     JY74-AP
          mnt-by:      MAINT-CNNIC-AP
          changed:     ipas () cnnic net cn 20000927
          source:      APNIC
Previous By Date Next
Previous By Thread Next

Current thread: