[Dshield] Blaster Cleanup Virus

Johannes B. Ullrich jullrich at sans.org
Sun Aug 17 14:45:30 GMT 2003


This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable


> I appear to have gotten this, but it claims to be from 
> comcast.online at comcast.m0.net.  

This may have been a legitimate e-mail, even though poorly
done. 'm0.net' is part of Digital Impact, a commercial 
mass mailing firm. Comcast may have outsourced the task of
notifying their customers to this company.

Either way: Better safe then sorry. While it is common for
companies (e.g. Microsoft) to e-mail URLs to download 
patches, still be very careful about the URLs included in
such e-mails. It is easy to hide / obfuscate the actual
URL.




> There are links that claim to be for the 
> Windows patch page, and for the Symantec utility that tests for the 
> worm, but that actually point back to pages from comcast.m0.net.  The 
> instructions that were sent ape very closely the page that Comcast did 
> put up on their web site, and on a superficial level the Symantec 
> utility from m0 looks like what you'd get if you downloaded it from 
> Symanted (file size, all the info in right-clich -> properties is the 
> same), though I haven't run either utility.
> 
> Unsurprisingly, there's been no response from either 
> 'support at comcast.net' or 'abuse at comcast.net', both of whom got seperate 
> e-mails yesterday with a forwarded copy of the mail I got.
> 
> -Mike
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
SANS - Internet Storm Center
http://isc.sans.org
PGP Key: http://isc.sans.org/jullrich.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/P5UKR1p7hYJvB/wRAvZpAJ95gYyVlwbymHzK8Hy8a2V5ePYLfQCfUKut
WyD727POsk9ydGSih13AEpY-----END PGP SIGNATURE-----

--
SHA1



More information about the list mailing list