RE: Virus? Trojan?

["James C Slora Jr" <Jim.Slora () phra com>]

David Gillett wrote Monday, December 30, 2002 5:03 PM

>   So far today, I've received two email messages from
> kbl-zrz2519.zeelandnet.nl [62.238.233.233]

> which, apparently, claimed in its HELO message to *be*
> our local MX (which of course was who it was talking TO).
> Sounds to me like a bug in the sending software.

>   The other thing these messages had in common was a
> 33KB .scr ("screen saver") executable attachment.
> Norton doesn't recognize this as a known threat, but
> I don't want to be the first to learn the hard way what
> it does.

I've gotten 4 more Yaha-M-infected messages from this same source today. I
received a few at around the same time you did, starting December 31 when
Yaha-M had not yet been listed. The sender must have one of the first
infected computers. They may be a member of this list or someone who visits
the list archives.

Since the infections are still coming I've notified the administrator of
zeelandnet.nl - hopefully they will hunt the user down and help them clear
the infection.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com