[Dshield] New Outlook virus?

Thomas.Deimel@gastechnology.org Thomas.Deimel at gastechnology.org
Mon Sep 30 22:16:01 GMT 2002


Information for Sophos.

W32/Bugbear-A is an internet worm which spreads via SMTP and also attempts
to spread via network shares. The worm copies itself to the Windows system
folder as a file with a random four-letter name and an EXE extension and
adds to the following registry entry to run this file on the next reboot:


HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce


W32/Bugbear-A also drops a copy of itself in the Windows start up folder so
that is run on system restart.


The worm drops a randomly-named DLL file, which is related to logging
keystrokes, in the Windows system folder. It can also terminate certain
firewall and antivirus programs.


http://www.sophos.com/virusinfo/analyses/w32bugbeara.html


Thomas J. Deimel



                                                                                                                                        
                    "Mike Morrell"                                                                                                      
                    <mike at themorre       To:     <list at dshield.org>                                                                     
                    lls.org>             cc:                                                                                            
                    Sent by:             Fax to:                                                                                        
                    list-admin at dsh       Subject:     [Dshield] New Outlook virus?                                                      
                    ield.org                                                                                                            
                                                                                                                                        
                                                                                                                                        
                    09/30/2002                                                                                                          
                    02:13 PM                                                                                                            
                    Please respond                                                                                                      
                    to list                                                                                                             
                                                                                                                                        
                                                                                                                                        




  Has anyone seen a potentially new Outlook virus in the wild?

   It appears that you receive an infected message that shows no
attachment when viewed in Outlook.  When opened the virus sends email
out to people in your address book with a subject and content taken
from a previously sent message.  One person reported seeing something
flash on their screen very quickly when it was opened.  The virus is
attaching itself using the name of an attachment you sent before.
   Up to date Mcafee and Norton virus scanners do not appear to be
catching it.  My Anomy Sanitizer at home caught that there was an .scr
attachment with the message and defanged it.  Other people reported
that their virus scanner did not catch it but an email defanger did.


Mike


_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


**********************************************************************
This communication is for the use of the intended recipient only.
It may contain information that is privileged and confidential.
If you are not the intended recipient of this communication,
any disclosure, copying, further distribution or use thereof is prohibited.

If you have received this communication in error,
please advise me by return e-mail or by telephone and delete/destroy it.
**********************************************************************







**********************************************************************
This communication is for the use of the intended recipient only.  
It may contain information that is privileged and confidential.  
If you are not the intended recipient of this communication, 
any disclosure, copying, further distribution or use thereof is prohibited.  
If you have received this communication in error, 
please advise me by return e-mail or by telephone and delete/destroy it.
**********************************************************************




More information about the list mailing list