New virus???

Steve Bernard sbernard at gmu.edu
Fri Aug 1 19:07:49 GMT 2003


We are beginning to see an email-based virus spreading in our network. 
The originator seems to be from a locally compromised machine. Email is 
being generated in the name of the account "admin@" and purports that 
the user's IP has been changed. An accompanying attachment, 
"message.zip" is an HTML file with the binary file, "foo.exe", in the 
header portion. A script with function "malware()" is repeated multiple 
times, each calling "foo.exe".  So far what I know is that the virus 
spreads itself when "message.zip" is read by reading at least one 
address in the user's address book. The scripting is easy to understand 
but, "foo.exe" is compiled. This virus is *not* recognized by the latest 
Norton AV signatures. Disabling HTML parsing in email clients seems to 
stop the virus from working.


Regards,

Steve Bernard
Sr. Systems Engineer, NET
George Mason University
Fairfax, Virginia



More information about the unisog mailing list