Security Incidents mailing list archives

Re: New variant of Virus ?

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 30 Jan 2004 01:20:09 +1300

Gary Flynn <flynngn () jmu edu> to Hubbard, Dan:

It looks like there maybe a new variant of the virus MyDoom worm. We
have seen the following:

RE: I still love you  fLctv 

Error 551: We are sorry your UTF-8 encoding is not supported by the
server, so the text was automatically zipped and attached to this
message.

<<snip>>

We've seen several of these here since yesterday. I submitted
it last night and was told third-hand that the following Sophos
definition was created for it:

http://www.sophos.com/virusinfo/analyses/trojstawina.html


Yes.

It seems this was distributed widely via spam about 24-36 hours ago 
(maybe more??).  It is _not_ a self-mailer although it does contain 
SMTP code.  It is a keylogger that looks for windows by name 
(specifically the names of various bank and financial sites) and 
captures keystrokes directed to those windows.  It then mails off the 
keystroke logs...

Various AVs have named it various things:

   Stawin.A
   PSW.Keylog.E
   TrojanSpy.Win32.Keylogger.aa
   Trojan.Spy.Keylogger.AA
   Trojan.Keylogger
   W32/Ovnod.A@pws
   Trojan.Nodav
   Trj/Govnodav.A
   Win32.Elkong.D


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

New variant of Virus ? Hubbard, Dan (Jan 28)
- Re: New variant of Virus ? Gary Flynn (Jan 28)
  - Re: New variant of Virus ? Nick FitzGerald (Jan 29)
- Message not available
  - Re: New variant of Virus ? Mike Tancsa (Jan 28)
    - Re: New variant of Virus ? Luke Gill (Jan 28)
- RE: New variant of Virus ? Larry Seltzer (Jan 28)
  - RE: New variant of Virus ? falcon (Jan 28)