FYI: W32.Badtrans.B@mm

[John Sage <jsage () finchhaven com>]

At the risk of restating the obvious, for those on Window$ boxes, watch
out for funny emails.

I've received two in an hour, now, 11/25/01 -- characteristics:

File size about 39k;
subject line: "RE: ";

Content-Type: audio/x-wav;
name="news_doc . DOC . scr"; -- or some variation thereon...

(I had to mung the name to get this past the snort list's virus filters: 
there's no spaces between the dots...)

Content-Transfer-Encoding: base64;
Content-ID: <EA4DMGBP9p>

A search at Symantec yeilded:

http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b () mm html

w32.badtrans.b () mm html, discovered 11/24/01

"W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of
several different file names. This worm also drops a backdoor trojan
that logs keystrokes."


A possible variant of W32.Badtrans.13312@mm, discovered 04/11/01


Forewarned is forearmed etc etc etc...


- John



The first:



 From - Sun Nov 25 09:24:32 2001
Delivery-date: Sun, 25 Nov 2001 12:09:31 -0500
Received: from [24.51.160.84] (helo=aol.com)
by rcommail2 with smtp (Exim 3.16 #2)
id 1682mX-0005c1-00
for jsage () blahblahblah com; Sun, 25 Nov 2001 12:09:29 -0500
From: " Administrator" <administrator () border net>
To: jsage () blahblahblah com
Subject: Re:
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
Message-Id: <E1682mX-0005c1-00@rcommail2>
Date: Sun, 25 Nov 2001 12:09:29 -0500

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="news_doc . DOC . scr"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

<snip base 64 encoded body>

(Name munged with spaces between dots..)


The second:



 From - Sun Nov 25 12:24:34 2001
Delivery-date: Sun, 25 Nov 2001 15:16:02 -0500
Received: from [209.239.47.119] (helo=host9.apollohosting.com)
by rcommail2 with esmtp (Exim 3.16 #2)
id 1685h4-0000v7-00
for jsage () finchhaven com; Sun, 25 Nov 2001 15:16:02 -0500
Received: from aol.com (sttldslgw19poolA163.sttl.uswest.net [63.231.20.163])
by host9.apollohosting.com (8.10.2/8.10.2) with SMTP id fAPKFt602941
for <jsage () blahblahblah com>; Sun, 25 Nov 2001 15:15:56 -0500
Date: Sun, 25 Nov 2001 15:15:56 -0500
Message-Id: <200111252015.fAPKFt602941 () host9 apollohosting com>
From: "Jonathan Dunn" <_jondunn () jonathanClarkDunn com>
To: jsage () blahblahblah com
Subject: Re:
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="Sorry_about_yesterday . MP3 . pif"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

(Name munged with spaces between dots..)


<snip base 64 encoded body>




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users