[Dshield] He has been captured - Possible Virus Email

Scott Fendley scottf at uark.edu
Fri Jun 3 03:28:52 GMT 2005

Yup.  I got a copy of it around 2pm central time and submitted it to the 
major AV companies somewhere shortly after.  Just thought it was another 


At 08:38 PM 6/2/2005, Neil Richardson wrote:
>Hash: SHA1
>on 6/2/2005 4:40 PM Karen Gispanski said the following:
>| Has anyone received emails claiming Osama Bin Laden has been
>| captured?  Some subject lines read He has been captured and others
>| read Glod Bless America! It has a attachment pictures.zip.  The
>| content in the email is:
>I received it at around 2pm (PDT) today, but the attachment was
>"pics.zip" (900 bytes) with "pics.scr" (1.51KB) inside.
>Norton 2005 didn't catch it at all (even when unzipped and manually
>scanned with full heuristics), so I submitted it for analysis (and
>distribution?) to >http://www.virustotal.com/flash/index_en.html< and
>just under half detected it, mostly by their own heuristics.  I also
>submitted it to Norton and about an hour ago they auto-replied with
>the following:
>=====>8=====>8  BEGIN COPY & PASTE   =====>8=====>8
>| filename: pics.scr machine: AVCAutomation: result: This file is
>| infected with Download.BBX
>| Developer notes: pics.scr is non-repairable threat. Please delete
>| this file and replace it if necessary. Please follow the
>| instruction at the end of this email message to install the latest
>| rapidrelease definitions.
>| Symantec Security Response has determined that the sample(s) that
>| you provided are infected with a virus, worm, or Trojan. We have
>| created RapidRelease definitions that will detect this threat.
>| Please follow the instruction at the end of this email message to
>| download and install the latest RapidRelease definitions. Symantec
>| is now building a new set of definitions to include the threat you
>| have submitted. The approximate time to complete this process is
>| one hour. We recommend checking the ftp site periodically over the
>| next 60 to 90 minutes to download these definitions as soon as they
>| are available.
>| Downloading and Installing RapidRelease Definitions: 1. Open your
>| Web browser. If you are using a dial-up connection, connect to any
>| Web site, such as:  http://securityresponse.symantec.com/ 2. Copy
>| and paste the address
>| into the address bar of your Web browser and then press Enter.(this
>| could take a minute or so if you have a slow connection) 3. Now
>| select 45192 folder or a higher. Open the folder. 4. Select the
>| file symrapidreleasedefsi32.exe 5. When a download dialog box
>| appears, save the file to the Windows desktop. 6. Double-click the
>| downloaded file and follow the prompts.
>=====>8=====>8  END COPY & PASTE   =====>8=====>8
>- -Neil Richardson
>- --
>Supreme Lord High Commander and Keeper of the Holy Potato
>- ----------
>PGP Fingerprint: A663 1ACB 84E6 F4DE B86E  0AA1 7A36 F817 E098 F32E
>- ----------
>One of these days I'm going to find this 'peer' guy and reset HIS
>Version: GnuPG v1.2.4 (MingW32)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>-------------- Sponsor Message ------------------------------------
>Join us at SANSFIRE 2005 in Atlanta!
>The Internet Storm Center Conference.
>Details: http://www.sans.org/sansfire2005
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list