[unisog] MyParty

Huba Leidenfrost huba at uidaho.edu
Tue Jan 29 01:35:48 GMT 2002


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are some relevant news articles if you haven't found them yet.

Source: Ananova

Date Written: January 28, 2002

Date Collected: January 28, 2002 

Title: Warning over new type of computer virus 
A new e-mail virus, 'W32/Myparty at MM', dubbed MyParty, issues a bogus
web link, a .com URL, that infects a machine when the attachment is
opened. The subject line is "New photos from my party," but once
opened, the virus will attempt to send itself to any addresses in the
infected machine's Windows address book, and installs a backdoor into
the system. Experts believe the worm/virus originated in Russia and
infects systems using Microsoft Outlook Express. 
http://www.ananova.com/news/story/sm_506213.html 
Also - http://news.com.com/2100-1001-823959.html 
Also -
http://www.nytimes.com/reuters/news/news-tech-myparty-worm.html 
Also - http://www.nwfusion.com/news/2002/0128myparty.html 

<from dailyreport at ists.dartmouth.edu daily mailing>

- -----Original Message-----
From: Jose Nazario [mailto:jose at biocserver.BIOC.cwru.edu]
Sent: Monday, January 28, 2002 1:10 PM
To: Anderson Johnston
Cc: unisog at sans.org
Subject: Re: [unisog] MyParty


On Mon, 28 Jan 2002, Anderson Johnston wrote:

> We are getting slammed with the My Party worm.  As near as we can
> tell, it's showing up in two flavors.  There is a relatively
> obvious one that has the subject "new photos from my party!"

i have been blocking this with a sendmail rule:

HSubject: $>Check_Subject

D{PtyPat}new photos from my party!
D{PtyMsg}New MyPhotos worm.

R{PtyPat} $*            $#error $: 553 ${PtyMsg}
RRe: {PtyPat} $*        $#error $: 553 ${PtyMsg}


this will help slow down the dumber, initial variant with the status
subject line.

simply insert this as decribed here:

http://biocserver.BIOC.CWRU.Edu/~jose/iloveyouhack.txt

seems to help give you more time to upgrade everything else, its no
replacement for desktop security. i haven't seen the newer variants
so i
can't help you there. it may be using a static MIME content start
line, so
.. keep that in mind.

hope this helps some of you,

____________________________
jose nazario						     jose at cwru.edu
	      	     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
				       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPFX8c0pG2S0cMeJwEQKbhQCfVsaa9AOjkQGgDQCF85SGsy3tWxcAn1rC
xlMaFnkpMdsc04QjOizcUCTg
=FaWB
-----END PGP SIGNATURE-----



More information about the unisog mailing list