[Dshield] potential new mail worm

Piet Barber pbarber at pietbarber.com
Sat Sep 13 06:14:38 GMT 2003

I just got a mail that was obviously forged, containing an e-mail 

This one is NOT SoBig.F, it appears to be something totally new;  (to me 
at least)

I wrote a message to my friend Bill about 2 months, ago; where my 
message apparently languished in his inbox.  When he got infected with 
this worm, the worm scoured his OS for addressbook entries, and messages 
in his inbox, and the names of attachments that he has sent out recently. 

Then, the worm started writing messages to all of his addressbook 
entries with a From address that is obviously forged: But the forgery is 
composed of usernames and hosts from within the addressbook.

For instance, the mail was forged from 'Piet Barber <pbarber at aol.com>'  
(It's obviously forged! I would rather chew broken glass than use AOL!)  
the 'pbarber' component from one address is appended to another 
addressbook entry of '@aol.com' in Bill's addressbook.

The attachment is a base-64 encoded executable with an AUDIO/x-MIDI 
content-type, and a filename obviously taken from Bill's "My Documents" 
folder.   The contents of the mail are a frame with my original message 
to him, in HTML, with the attachment after the HTML message.

Spam Assassin caught the message nicely, and now I have all messages 
like this going into quarantine before getting forwarded around.

I've never heard of such a worm, so I wanted to bring it up here first, 
,to see if anybody else knows about this.  the anti-virus websites talk 
about LoveSan, SoBig.F and another, but none of their MOs match this one's.

I exclusively use Linux, so I don't know much about these Outbreak 
Express worms of the day. 

Does anybody know about this one?

Here's the md5sum of the executable:

Here's a strings output of the executable:   (or the interesting parts, 
anyway; the last 10 lines or so)


More information about the list mailing list