[unisog] New virus???
jmorris at cac.washington.edu
Mon Aug 4 16:42:50 GMT 2003
Sounds like the Mimail virus that started making it's rounds last week.
NAI's page on it is at http://vil.nai.com/vil/content/v_100523.htm.
NDC Systems Management
University of Washington
From: Steve Bernard [mailto:sbernard at gmu.edu]
Sent: Friday, August 01, 2003 12:08
To: unisog at sans.org
Subject: [unisog] New virus???
We are beginning to see an email-based virus spreading in our network.
The originator seems to be from a locally compromised machine. Email is
being generated in the name of the account "admin@" and purports that
the user's IP has been changed. An accompanying attachment,
"message.zip" is an HTML file with the binary file, "foo.exe", in the
header portion. A script with function "malware()" is repeated multiple
times, each calling "foo.exe". So far what I know is that the virus
spreads itself when "message.zip" is read by reading at least one
address in the user's address book. The scripting is easy to understand
but, "foo.exe" is compiled. This virus is *not* recognized by the latest
Norton AV signatures. Disabling HTML parsing in email clients seems to
stop the virus from working.
Sr. Systems Engineer, NET
George Mason University
More information about the unisog