[Dshield] This one should get around rather quickly??

Paul Marsh pmarsh at nmefdn.org
Thu Nov 21 15:37:49 GMT 2002

I just received this warning from VirusEye, it's not even a blip on the radar screen yet but it has potential because users love to click links....

The new Troj/Maz.C variant has been e-mailed to a number of users. From the copies that we have seen, the message appears as follows: 

     From: MAILER-DAEMON@(recipient domain)

     Body : 
      Unfortunately, it was not possible to deliver one or more of your
      messages. For more information, please, take a look in the 

     Attachment: mail.hta 


In copies that we have intercepted the attachment displays an HTML advert, but contains a Visual Basic script that drops a variant of the Downloader-BO (a.k.a. Inor) component, which subsequently attempts to download and install the Backdoor-AML (a.k.a. Jeem) component from a website, hosted at: 


The Backdoor-AML component opens three TCP ports that may be used to access the compromised machine remotely, 6079, 5262 and 4668.  The 4668 port may subsequently be used as SMTP relays to further distribute the e-mail component to other recipients.  

More information about the list mailing list