Security Incidents mailing list archives
RE: Virus? Trojan?
From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Fri, 10 Jan 2003 10:39:45 -0500
David Gillett wrote Monday, December 30, 2002 5:03 PM
So far today, I've received two email messages from kbl-zrz2519.zeelandnet.nl [62.238.233.233]
which, apparently, claimed in its HELO message to *be* our local MX (which of course was who it was talking TO). Sounds to me like a bug in the sending software.
The other thing these messages had in common was a 33KB .scr ("screen saver") executable attachment. Norton doesn't recognize this as a known threat, but I don't want to be the first to learn the hard way what it does.
I've gotten 4 more Yaha-M-infected messages from this same source today. I received a few at around the same time you did, starting December 31 when Yaha-M had not yet been listed. The sender must have one of the first infected computers. They may be a member of this list or someone who visits the list archives. Since the infections are still coming I've notified the administrator of zeelandnet.nl - hopefully they will hunt the user down and help them clear the infection. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Virus? Trojan? Jonathan Rickman (Jan 02)
- <Possible follow-ups>
- Re: Virus? Trojan? Nick FitzGerald (Jan 02)
- RE: Virus? Trojan? James C Slora Jr (Jan 12)
- RE: Virus? Trojan? Nick FitzGerald (Jan 12)
- Re: Virus? Trojan? James C. Slora Jr. (Jan 12)
- RE: Virus? Trojan? Nick FitzGerald (Jan 12)