[unisog] New virus - not caught by central servers (fwd)

Brian Haskell haskell at tc.umn.edu
Mon Jul 26 17:40:30 GMT 2004


>From the U Minnesota computer gurus:

---------- Forwarded message ----------
Date: Mon, 26 Jul 2004 11:22:31 -0500 (CDT)
Subject: New virus - not caught by central servers


Hey all,

There's a new virus out, which isn't yet caught by the central servers.
Please don't open any attachments you're not expecting! More details
below.

---------- Forwarded message ----------
Date: Mon, 26 Jul 2004 11:14:21 -0500
From: Brian Eckman <eckman at umn.edu>
Reply-To: "umn-antivirus: Forum for exchanging information about fighting
               computer viruses" <UMN-ANTIVIRUS at LISTS.UMN.EDU>
To: UMN-ANTIVIRUS at LISTS.UMN.EDU
Subject: [Fwd: Counterpane Internet Security; Virus Alert; MyDoom.M;
          CIS20040726-1]

We are starting to see this on campus. AFAIK, the central servers cannot
detect this as virus signatures don't seem to have been released yet....


Brian

COUNTERPANE REFERENCE   CIS20040726-1


TITLE                           MyDoom.M


DATE DISCOVERED         July 13, 2004


VULNERABILITY/EVENT SUMMARY

Counterpane has received information pertaining to a Windows-based
variant of the MyDoom worm, known as MyDoom.M, that spreads via email
using SMTP.  The variant harvests recipient email addresses from the
infected system and also fake's the sender address using the same
harvested list.  This worm is being called 'MyDoom.o' by McAfee.


THREAT CLASSIFICATION

Virus/Worm


ANALYSIS

The MyDoom variant is currently being sent through the mail systems
utilizing the following Subject lines:

         The original message was included as attachment The/Your
m/Message could not be delivered
         hello
         hi error
         status
         test
         report
         delivery failed
         Message could not be delivered
         Mail System Error - Returned Mail
         Delivery reports about your e-mail
         Returned mail: see transcript for details
         Returned mail: Data format error

The variant also contains an attachment that comes in the form of a
.zip, .com, .scr, .exe, .pif, or .bat file.  The filename is
delivered as a variation of the destination domain.  (i.e. an
attachment being sent to help at yourdomain.org could appear as
help at yourdomain.zip, yourdomain.exe or some other variation of this
naming scheme)

Review the links provided below for updated information as additional
details become available.


POSSIBLE MITIGATION

Ensure that all systems are deploying updated virus protection
software.


REFERENCE INFORMATION/VENDOR/CVE/BUGTRAQ

http://vil.nai.com/vil/content/v_127033.htm
http://www.f-secure.com/v-descs/mydoom_m.shtml
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_M
YDOOM.M


COUNTERPANE RESPONSE

Counterpane is continuing to monitor this situation.  Counterpane has
seen minimal impact across the customer base at the time of
publication.  For customer's using Counterpane's Firewall/IDS Device
Management, or Active Response, configurations have been verified or
updated based on business guidelines that are in place.

Counterpane Internet Security is happy to answer any questions you
may have regarding this report, and we thank you for your continued
support.

Counterpane Customer Service: 1-888-710-8171


LEGAL NOTICES

Copyright (c) 2004 Counterpane Internet Security

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of Counterpane. If you wish to reprint the whole or
any part of this alert in any other medium other than electronically,
please email customerservice at counterpane.com for permission.

Disclaimer: The information contained within this Security Alert is
provided for informational purposes and without warranty. Counterpane
recommends consulting your security policy when responding to this or
any security-related event. Counterpane also recommends testing any
vendor-recommended countermeasures prior to their deployment in a
production environment. The information in the advisory is believed
to be accurate at the time of publishing based on currently available
information. Use of the information constitutes acceptance for use in
an AS IS condition.  There are no warranties with regard to this
information. Neither the author nor the publisher accepts any
liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQQUtDy1c2J4oiDLuEQI1hgCgrYqueKXBOtKwSYX6Ci1brnFOgJsAoMxs
KD5bgM9Lv9UB+NArVq1YSLB+
=P6Gd
-----END PGP SIGNATURE-----


--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

"There are 10 types of people in this world. Those who
understand binary and those who don't."



More information about the unisog mailing list