[Dshield] He has been captured - Possible Virus Email

Neil Richardson neilr at ieee.org
Fri Jun 3 01:38:00 GMT 2005

Hash: SHA1
on 6/2/2005 4:40 PM Karen Gispanski said the following:

| Has anyone received emails claiming Osama Bin Laden has been
| captured?  Some subject lines read He has been captured and others
| read Glod Bless America! It has a attachment pictures.zip.  The
| content in the email is:

I received it at around 2pm (PDT) today, but the attachment was
"pics.zip" (900 bytes) with "pics.scr" (1.51KB) inside.

Norton 2005 didn't catch it at all (even when unzipped and manually
scanned with full heuristics), so I submitted it for analysis (and
distribution?) to >http://www.virustotal.com/flash/index_en.html< and
just under half detected it, mostly by their own heuristics.  I also
submitted it to Norton and about an hour ago they auto-replied with
the following:

=====>8=====>8  BEGIN COPY & PASTE   =====>8=====>8

| filename: pics.scr machine: AVCAutomation: result: This file is
| infected with Download.BBX
| Developer notes: pics.scr is non-repairable threat. Please delete
| this file and replace it if necessary. Please follow the
| instruction at the end of this email message to install the latest
| rapidrelease definitions.
| Symantec Security Response has determined that the sample(s) that
| you provided are infected with a virus, worm, or Trojan. We have
| created RapidRelease definitions that will detect this threat.
| Please follow the instruction at the end of this email message to
| download and install the latest RapidRelease definitions. Symantec
| is now building a new set of definitions to include the threat you
| have submitted. The approximate time to complete this process is
| one hour. We recommend checking the ftp site periodically over the
| next 60 to 90 minutes to download these definitions as soon as they
| are available.
| Downloading and Installing RapidRelease Definitions: 1. Open your
| Web browser. If you are using a dial-up connection, connect to any
| Web site, such as:  http://securityresponse.symantec.com/ 2. Copy
| and paste the address
| into the address bar of your Web browser and then press Enter.(this
| could take a minute or so if you have a slow connection) 3. Now
| select 45192 folder or a higher. Open the folder. 4. Select the
| file symrapidreleasedefsi32.exe 5. When a download dialog box
| appears, save the file to the Windows desktop. 6. Double-click the
| downloaded file and follow the prompts.

=====>8=====>8  END COPY & PASTE   =====>8=====>8

- -Neil Richardson
- --
Supreme Lord High Commander and Keeper of the Holy Potato
- ----------
PGP Fingerprint: A663 1ACB 84E6 F4DE B86E  0AA1 7A36 F817 E098 F32E
- ----------
One of these days I'm going to find this 'peer' guy and reset HIS

Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

More information about the list mailing list