[unisog] New virus???

Raoul Armfield armfield at amnh.org
Mon Aug 4 17:15:24 GMT 2003


beg to differ, Virus definitions dated 8/1/03 for Norton AV correctly
identifies the attachment as the W32.Mimail.A at mm virus.

Make sure your defs are uptodate.

Raoul

:-----Original Message-----
:From: Steve Bernard [mailto:sbernard at gmu.edu] 
:Sent: Friday, August 01, 2003 3:08 PM
:To: unisog at sans.org
:Subject: [unisog] New virus???
:
:
:We are beginning to see an email-based virus spreading in our
network. 
:The originator seems to be from a locally compromised machine. 
:Email is 
:being generated in the name of the account "admin@" and purports that

:the user's IP has been changed. An accompanying attachment, 
:"message.zip" is an HTML file with the binary file, "foo.exe", in the

:header portion. A script with function "malware()" is repeated 
:multiple 
:times, each calling "foo.exe".  So far what I know is that the virus 
:spreads itself when "message.zip" is read by reading at least one 
:address in the user's address book. The scripting is easy to 
:understand 
:but, "foo.exe" is compiled. This virus is *not* recognized by 
:the latest 
:Norton AV signatures. Disabling HTML parsing in email clients seems
to 
:stop the virus from working.
:
:
:Regards,
:
:Steve Bernard
:Sr. Systems Engineer, NET
:George Mason University
:Fairfax, Virginia
:
:



More information about the unisog mailing list