[Dshield] Potential new virus

Mike mjcarter at ihug.co.nz
Wed Feb 4 05:50:00 GMT 2004

So did I, msg header below:

Return-Path: <sgt_b2002 at comprehensive.com>
Delivered-To: mjcarter at backend.pop.ihug.co.nz
Received: (qmail 1661 invoked from network); 3 Feb 2004 17:44:57 -0000
Received: from grunt12.ihug.co.nz (
  by mail1.ihug.co.nz with SMTP; 3 Feb 2004 17:44:57 -0000
Received: from ferengi.skynet.be []
	by grunt12.ihug.co.nz with esmtp (Exim 3.35 #1 (Debian))
	id 1Ao4bW-0005aq-00; Wed, 04 Feb 2004 06:44:55 +1300
Received: from skynet (9.47-201-80.adsl.skynet.be [])
        by ferengi.skynet.be (8.12.9/8.12.9/Skynet-OUT-2.21) with SMTP id
	Tue, 3 Feb 2004 18:41:00 +0100
        (envelope-from <sgt_b2002 at comprehensive.com>)
Date: Tue, 3 Feb 2004 18:41:00 +0100
Message-Id: <200402031741.i13Hf0cd013568 at ferengi.skynet.be>
From: sgt_b <sgt_b2002 at comprehensive.com>
Subject:  www.google.com reference in directory-traversal attack
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------V0Z4Z4LQ8I9BJB"
To: undisclosed-recipients:;
X-RAVMilter-Version: 8.4.3(snapshot 20030212) (ferengi.skynet.be)

msg body:

I've included a link to a tcpdump taken that shows a standard IIS
directory-traversal attack. I was looking over the packets and noticed a
reference t

Same attached file "occasie.txt.pif"

Did you get a response from Symantec?


I just received a PIF that Norton did not detect. I suspect that it was a
virus, but my (up-to-date) Norton A/V did not flag it as such.

I have sent it to Norton per the instructions listed below, but thought that
I'd warn the group about it.

The email came looking like this with the attachment "occasie.txt.pif":

>From: Dozal, Tim [mailto:tdozal at sw2000.com]
>Sent: Tuesday, February 03, 2004 12:35 PM
>To: undisclosed-recipients:
>Subject: RE: more info on a hopefully unsuccessful compromise
>You may be able to create a new account on the host and set it with full
>administrator privileges on the local machine (and domain if present) then
>disable/remove the administrator account you're having problems with.  I
>the reason you're unable to disable/remove the current admin account is Wi

Here are the instructions on how to email Norton a potential virus:

To send a zipped, password protected copy of the suspicious fileor files as
an email attachment

To create an email
Create an email.
Type Submission in the Subject field.
Include the following information in the body of the email
Operating System
Zip/Country code
Phone number
A detailed description of the symptoms that you observed.

To create a password-protected zip file
Do the following to create a password-protected zip file that contains the
suspicious file/files. It is important that potentially infected files be
zipped and password protected to prevent the potential new virus from being
mistakenly sent to others. This process is part of the Symantec best
practices procedure when working with potentially infected files. If you are
running Norton AntiVirus or Symantec AntiVirus in a corporate environment,
then zipping and password protecting a potentially infected file will also
allow the file to be sent through your network security system without being

Note: These steps apply to Winzip. If you have another zip utility, consult
your program documentation for help zipping and password protecting the
potentially infected file.


Open Windows Explorer.
Locate the suspicious file or files.
If there is only one file, then right-click the file, and then click "Add to
Click I agree.
Click New.
Change the "Create" location to Desktop, type Submission and then click OK.
Click Options and then Password.
Type infected and then click OK. Reenter the same password, and then click
OK again.
You should see a zip file named Submission.zip on the Desktop.
If you want to submit more then one file, then do the following for each
Locate the file and then right-click the file, and click "Add to zip."
Click I agree.
Click Open.
Change the "Create" location to Desktop, locate and click Submission.zip and
then click Open.
Click Add.

To attach the zip file to the email and send the email to Security Response
Attach the Submission.zip file to the email and send it to
AVSubmit at symantec.com.
The submitted file will be scanned by the Symantec automated response system
and you will receive an email response with a tracking number.

Note: Be patient. It is possible for the automated reply to take up to 24
hours, depending on how many submissions have been received.


"Life is like an analogy"

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list