[Dshield] potential new mail worm
pbarber at pietbarber.com
Sat Sep 13 06:14:38 GMT 2003
I just got a mail that was obviously forged, containing an e-mail
This one is NOT SoBig.F, it appears to be something totally new; (to me
I wrote a message to my friend Bill about 2 months, ago; where my
message apparently languished in his inbox. When he got infected with
this worm, the worm scoured his OS for addressbook entries, and messages
in his inbox, and the names of attachments that he has sent out recently.
Then, the worm started writing messages to all of his addressbook
entries with a From address that is obviously forged: But the forgery is
composed of usernames and hosts from within the addressbook.
For instance, the mail was forged from 'Piet Barber <pbarber at aol.com>'
(It's obviously forged! I would rather chew broken glass than use AOL!)
the 'pbarber' component from one address is appended to another
addressbook entry of '@aol.com' in Bill's addressbook.
The attachment is a base-64 encoded executable with an AUDIO/x-MIDI
content-type, and a filename obviously taken from Bill's "My Documents"
folder. The contents of the mail are a frame with my original message
to him, in HTML, with the attachment after the HTML message.
Spam Assassin caught the message nicely, and now I have all messages
like this going into quarantine before getting forwarded around.
I've never heard of such a worm, so I wanted to bring it up here first,
,to see if anybody else knows about this. the anti-virus websites talk
about LoveSan, SoBig.F and another, but none of their MOs match this one's.
I exclusively use Linux, so I don't know much about these Outbreak
Express worms of the day.
Does anybody know about this one?
Here's the md5sum of the executable:
Here's a strings output of the executable: (or the interesting parts,
anyway; the last 10 lines or so)
More information about the list