[Dshield] New Outlook virus?

Richard.Reeman@CGI-Europe.Com Richard.Reeman at CGI-Europe.Com
Tue Oct 1 12:22:41 GMT 2002


I think this virus is quite wide spread at the moment, we have had sever
instances of it blocked my our mail system AV. 

The attachment appears to be opened by HTML from within the message, so even
previewing the message in outlook could cause you to get infected.

______________________
Richard Reeman
DeskTop Services
 
CGI Group (Europe) Ltd.


-----Original Message-----
From: Thomas.Deimel at gastechnology.org
[mailto:Thomas.Deimel at gastechnology.org] 
Sent: 30 September 2002 23:16
To: list at dshield.org
Cc: mike at themorrells.org
Subject: Re: [Dshield] New Outlook virus?



Information for Sophos.

W32/Bugbear-A is an internet worm which spreads via SMTP and also attempts
to spread via network shares. The worm copies itself to the Windows system
folder as a file with a random four-letter name and an EXE extension and
adds to the following registry entry to run this file on the next reboot:


HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce


W32/Bugbear-A also drops a copy of itself in the Windows start up folder so
that is run on system restart.


The worm drops a randomly-named DLL file, which is related to logging
keystrokes, in the Windows system folder. It can also terminate certain
firewall and antivirus programs.


http://www.sophos.com/virusinfo/analyses/w32bugbeara.html


Thomas J. Deimel



 

                    "Mike Morrell"

                    <mike at themorre       To:     <list at dshield.org>

                    lls.org>             cc:

                    Sent by:             Fax to:

                    list-admin at dsh       Subject:     [Dshield] New Outlook
virus?                                                      
                    ield.org

 

 

                    09/30/2002

                    02:13 PM

                    Please respond

                    to list

 

 





  Has anyone seen a potentially new Outlook virus in the wild?

   It appears that you receive an infected message that shows no attachment
when viewed in Outlook.  When opened the virus sends email out to people in
your address book with a subject and content taken from a previously sent
message.  One person reported seeing something flash on their screen very
quickly when it was opened.  The virus is attaching itself using the name of
an attachment you sent before.
   Up to date Mcafee and Norton virus scanners do not appear to be catching
it.  My Anomy Sanitizer at home caught that there was an .scr attachment
with the message and defanged it.  Other people reported that their virus
scanner did not catch it but an email defanger did.


Mike


_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


**********************************************************************
This communication is for the use of the intended recipient only. It may
contain information that is privileged and confidential. If you are not the
intended recipient of this communication, any disclosure, copying, further
distribution or use thereof is prohibited.

If you have received this communication in error,
please advise me by return e-mail or by telephone and delete/destroy it.
**********************************************************************







**********************************************************************
This communication is for the use of the intended recipient only.  
It may contain information that is privileged and confidential.  
If you are not the intended recipient of this communication, 
any disclosure, copying, further distribution or use thereof is prohibited.

If you have received this communication in error, 
please advise me by return e-mail or by telephone and delete/destroy it.
**********************************************************************

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

*** Confidentiality Notice *** Proprietary/Confidential
Information belonging to CGI Group Inc. and its affiliates
may be contained in this message. If you are not a recipient
indicated or intended in this message (or responsible for
delivery of this message to such person), or you think for
any reason that this message may have been addressed to you
in error, you may not use or copy or deliver this message
to anyone else.  In such case, you should destroy this
message and are asked to notify the sender by reply email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20021001/260e83ba/attachment.htm


More information about the list mailing list