[unisog] New virus???
armfield at amnh.org
Mon Aug 4 17:15:24 GMT 2003
beg to differ, Virus definitions dated 8/1/03 for Norton AV correctly
identifies the attachment as the W32.Mimail.A at mm virus.
Make sure your defs are uptodate.
:From: Steve Bernard [mailto:sbernard at gmu.edu]
:Sent: Friday, August 01, 2003 3:08 PM
:To: unisog at sans.org
:Subject: [unisog] New virus???
:We are beginning to see an email-based virus spreading in our
:The originator seems to be from a locally compromised machine.
:being generated in the name of the account "admin@" and purports that
:the user's IP has been changed. An accompanying attachment,
:"message.zip" is an HTML file with the binary file, "foo.exe", in the
:header portion. A script with function "malware()" is repeated
:times, each calling "foo.exe". So far what I know is that the virus
:spreads itself when "message.zip" is read by reading at least one
:address in the user's address book. The scripting is easy to
:but, "foo.exe" is compiled. This virus is *not* recognized by
:Norton AV signatures. Disabling HTML parsing in email clients seems
:stop the virus from working.
:Sr. Systems Engineer, NET
:George Mason University
More information about the unisog