Vulnerability Development mailing list archives

Re: Another new worm???

From: alex () WINSTAR NET (Alexander Kiwerski)
Date: Mon, 19 Jun 2000 21:49:35 -0700


This one got sent to many people around the office here too, but our IS
guys caught it quickly.

It's not new of course, and the current McAfee DAT's do catch it. (Caught
it on mine. 4078? I think)
If you use Outlook or Outlook Express you won't see the .shs extension,
however the extension shows up in Eudora.

Regards,

Alexander Kiwerski
Senior Network Engineer
Winstar Network Operations - West

At 11:24 AM 6/20/00 +0800, PS Howe wrote:

I found some information at:
http://www.zdnet.com/zdnn/stories/news/0,4586,2589845,00.html
Do take a look.
The worm does not do much damage but it is a pain.

--- Jason Legate <jlegate () ALIENCHICK COM> wrote: > It
would appear that this worm was borne from the

discussions on bugtraq a
while back.  Just about a month ago, an email was
sent regarding this
exact issue.  I think someone ran with it, and
released it in the wild, as
my company was hit by it as well.  From preliminary
looks, it seems like
it plays with the filesystem, peeks/pokes at the
registry, and logs on to
irc.  Has anyone else seen this?

-j

On Mon, Jun 19, 2000 at 09:49:54AM -0400,
Studio1057 () AOL COM wrote:

Hello all,

This morning I am getting a lot of mail with

attachments. Trends are:

No from and to appears in the header
Attachments have .SHS extension (??!!)
the subject is either :Jokes", or "Funny: Jokes

text", or "Life stages".

Funny text does not show the attachment. The rest

are .txt.shs extensions,

the filename is the subject line but in all caps.
Any ideas? I am planning to clip a copy of all the

"variations" I'm getting

to check out what is going on. Unless of course

somebody else has already

done so in which case I am anxiously awaiting what

you guys cme up with.


Thanks,

LK


--
/--------------------------/ Jason Legate
\------------------------\
|     jlegate () sitesmith com       |
SiteSmith, Inc.        |
|        24x7 Call Center         |
http://www.sitesmith.com    |
|          888.898.7667           |     PGP Key ID -
0xA855AAC3    |

+---------------------------------+--------------------------------+

| Fingerprint - 2D5F 87A0 26E6 A65B 6837  D100 FB54
A972 A855 AAC3 |

\------------------------------------------------------------------/

ATTACHMENT part 2 application/pgp-signature




__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://messenger.yahoo.com.sg

Current thread:

Another new worm??? Studio1057 () AOL COM (Jun 19)
- Re: Another new worm??? Pierre Vandevenne (Jun 19)
  - Re: Another new worm??? Kenneth Williams (Jun 19)
- Re: Another new worm??? Blue Boar (Jun 19)
- Re: Another new worm??? Jason Legate (Jun 19)
- Re: Another new worm??? Ron DuFresne (Jun 19)
- <Possible follow-ups>
- Re: Another new worm??? PS Howe (Jun 19)
  - Re: Another new worm??? Alexander Kiwerski (Jun 19)
- Re: Another new worm??? Zoa_Chien (Jun 19)
- Re: Another new worm??? Alexander Kiwerski (Jun 19)
- Re: Another new worm??? Dan Schrader (Jun 20)
  - Re: Another new worm??? Blue Boar (Jun 20)
  - Re: Another new worm??? Bennett Todd (Jun 20)
  - Re: Another new worm??? ~jim (Jun 20)
  - Re: Another new worm??? Justin Randall (Jun 20)
  - Re: Another new worm??? (long) Pierre Vandevenne (Jun 21)
- Re: Another new worm??? Joe Gee (Jun 20)
- Re: Another new worm??? Dan Schrader (Jun 21)

(Thread continues...)