Security Incidents mailing list archives
Re: New Virus?
From: dave_mikesch () baxter com
Date: Mon, 15 Aug 2005 16:12:30 -0500
Hi Alex, I've seen a bunch of files like that recently. They've all been "W32.Mytob.EE@mm" thus far. Here's a link where you can submit a sample file to a dozen or so vendors at once: http://www.virustotal.com/flash/index_en.html Try the free online scans by Trendmicro or McAfee. Hope one of those helped! Best Regards, Dave Mikesch Security Operations |---------+----------------------------> | | "Alex Arndt" | | | <aarndt () rogers co| | | m> | | | | | | 08/15/2005 02:49 | | | PM | | | | |---------+----------------------------> >--------------------------------------------------------------------------------------------------------------| | | | To: incidents () security-focus com, focus-virus () security-focus com | | cc: | | Subject: New Virus? | >--------------------------------------------------------------------------------------------------------------| Good day, I just received an e-mail (subject: test) with a ZIP archive attachment that claims to be from "MAILER-DAEMON () rogers com", but it in reality from IP 66.31.78.168 (c-66-31-78-168.hsd1.nh.comcast.net). ZIP Attachment, when opened contains an .EXE file that is attempting to look like a .DOC file by using a number of spaces in it. Filename in the e-mail I received is "aarndt () rogers com doc .exe" This is likely a Trojan or other backdoor program. The interesting thing is that my AV software (which is the free CA anti-virus provided by Rogers Yahoo) is not picking it up, nor is the Symantec-based AV scanning that Rogers uses on inbound e-mail. I will be forwarding the e-mail to AV vendors as a sample. Just figured I'd give everyone a heads-up just in case... FYI, a quick Google search of the .EXE filename came up with nothing. In fact, I got this error message when I tried to search for "rogers.com.doc .exe": <SAMPLE WEB PAGE> 403 Forbidden We're sorry... ... but we can't process your request right now. A computer virus or spyware application is sending us automated requests, and it appears that your computer or network has been infected. We'll restore your access as quickly as possible, so try again soon. In the meantime, you might want to run a virus checker or spyware remover to make sure that your computer is free of viruses and other spurious software. We apologize for the inconvenience, and hope we'll see you again on Google. </SAMPLE WEB PAGE> I hope this information proves useful, Alex Arndt CISSP, GCIA, GCIH "Within all order is the potential for chaos..." The information transmitted is intended only for the person(s)or entity to which it is addressed and may contain confidential and/or legally privileged material. Delivery of this message to any person other than the intended recipient(s) is not intended in any way to waive privilege or confidentiality. Any review, retransmission, dissemination or other use of , or taking of any action in reliance upon, this information by entities other than the intended recipient is prohibited. If you receive this in error, please contact the sender and delete the material from any computer. For Translation: http://www.baxter.com/email_disclaimer
Current thread:
- New Virus? Alex Arndt (Aug 15)
- Re: New Virus? Eduardo Vela (Aug 16)
- RE: New Virus? The AV Vendors respond (long post) Alex Arndt (Aug 16)
- RE: New Virus? James C Slora Jr (Aug 16)
- Re: New Virus? James Polley (Aug 18)
- RE: New Virus? James C Slora Jr (Aug 18)
- Re: New Virus? Eduardo Vela (Aug 19)
- Re: New Virus? James Polley (Aug 18)
- <Possible follow-ups>
- Re: New Virus? dave_mikesch (Aug 15)
- RE: New Virus? Ragnar Harper (Aug 15)
- RE: New Virus? Harlan Carvey (Aug 15)