Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

New Worm similar to BadTrans.B?

From: Peter Turczak <p_turczak () wiwa de>
Date: 28 Nov 2001 18:15:24 -0000
Mailer: SecurityFocus

Hi,

our company has recieved some e-mails containing 
the some attachments (all of them as mime-type 
audio/wav) like:
IS_LINUX_GOOD_ENOUGHX.TXT.pif
MATRiX_2_is_OUT.SCR

But the filesize differs from the BadTrans.B worm 
which we also recieved. Interesting output of 
"strings IS_LINUX_GOOD_ENOUGHX.TXT.pif":
--------SNIP------------
NII.nai.avp.AVP.F-Sef-
semaplpandsophndmiafeeyennlywatbavyman[;
wildlist.oil.esafe.cperfectsupcomplex.isHiServ.comh
iserv.commetro.ch>
beyond.commcafee.compandasoftwearthlink.inexar.comc
omkom.co.meditrade.mabex.com>
cellco.comsymantec.csuccessfulinforamp.nnewell.coms
i
ngnet.cobmcd.com.abca.com.nztrendmicrosophos.commap
le.com.netsales.nf-secure.cF-Secure.cX
.
.
.
Software provide by [MATRiX] VX team:
Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos
Greetz:
All VX guy on #virus channel and Vecna
Visit us: www.coderz.net/matrix
.
.
.
README.TXT.pif
I_wanna_see_YOU.TXT.pif
MATRiX_Screen_Saver.SCR
LOVE_LETTER_FOR_YOU.TXT.pif
NEW_playboy_Screen_saver.SCR
BILL_GATES_PIECE.JPG.pif
TIAZINHA.JPG.pif
FEITICEIRA_NUA.JPG.pif
Geocities_Free_sites.TXT.pif
NEW_NAPSTER_site.TXT.pif
METALLICA_SONG.MP3.pif
ANTI_CIH.EXE
INTERNET_SECURITY_FORUM.DOC.pif
ALANIS_Screen_Saver.SCR
READER_DIGEST_LETTER.TXT.pif
WIN_$100_NOW.DOC.pif
IS_LINUX_GOOD_ENOUGH!.TXT.pif
QI_TEST.EXE
AVP_Updates.EXE
SEICHO-NO-IE.EXE
YOU_are_FAT!.TXT.pif
FREE_xxx_sites.TXT.pif
I_am_sorry.DOC.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
Protect_your_credit.HTML.pif
JIMI_HMNDRIX.MP3.pif
HANSON.SCR
FUCKING_WITH_DOGS.SCR
MATRiX_2_is_OUT.SCR
zipped_files.EXE
BLINK_182.MP3.pif
.
.
.
----------SNAP-----------

It seems that the filenames are hardcoded. The most 
interesting lines are those "AVP.avp." things, 
which look like hostnames of some anti-virus 
vendors.

Maybe there have already been messages about this 
worm, if not i could provide the complete message 
(still transport encoded and the .pif only) for 
research purposes.


Greetings 

  Peter Turczak

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: