[unisog] New virus - not caught by central servers (fwd)

Bob Kehr rskehr at ucdavis.edu
Mon Jul 26 19:49:45 GMT 2004


Symantec and Trend Micro already have defs out for this virus. Not sure 
about Counterpane, McAfee, etc.

-Bob Kehr
Univ California, Davis

Brian Haskell wrote:
>>From the U Minnesota computer gurus:
> 
> ---------- Forwarded message ----------
> Date: Mon, 26 Jul 2004 11:22:31 -0500 (CDT)
> Subject: New virus - not caught by central servers
> 
> 
> Hey all,
> 
> There's a new virus out, which isn't yet caught by the central servers.
> Please don't open any attachments you're not expecting! More details
> below.
> 
> ---------- Forwarded message ----------
> Date: Mon, 26 Jul 2004 11:14:21 -0500
> From: Brian Eckman <eckman at umn.edu>
> Reply-To: "umn-antivirus: Forum for exchanging information about fighting
>                computer viruses" <UMN-ANTIVIRUS at LISTS.UMN.EDU>
> To: UMN-ANTIVIRUS at LISTS.UMN.EDU
> Subject: [Fwd: Counterpane Internet Security; Virus Alert; MyDoom.M;
>           CIS20040726-1]
> 
> We are starting to see this on campus. AFAIK, the central servers cannot
> detect this as virus signatures don't seem to have been released yet....
> 
> 
> Brian
> 
> COUNTERPANE REFERENCE   CIS20040726-1
> 
> 
> TITLE                           MyDoom.M
> 
> 
> DATE DISCOVERED         July 13, 2004
> 
> 
> VULNERABILITY/EVENT SUMMARY
> 
> Counterpane has received information pertaining to a Windows-based
> variant of the MyDoom worm, known as MyDoom.M, that spreads via email
> using SMTP.  The variant harvests recipient email addresses from the
> infected system and also fake's the sender address using the same
> harvested list.  This worm is being called 'MyDoom.o' by McAfee.
> 
> 
> THREAT CLASSIFICATION
> 
> Virus/Worm
> 
> 
> ANALYSIS
> 
> The MyDoom variant is currently being sent through the mail systems
> utilizing the following Subject lines:
> 
>          The original message was included as attachment The/Your
> m/Message could not be delivered
>          hello
>          hi error
>          status
>          test
>          report
>          delivery failed
>          Message could not be delivered
>          Mail System Error - Returned Mail
>          Delivery reports about your e-mail
>          Returned mail: see transcript for details
>          Returned mail: Data format error
> 
> The variant also contains an attachment that comes in the form of a
> .zip, .com, .scr, .exe, .pif, or .bat file.  The filename is
> delivered as a variation of the destination domain.  (i.e. an
> attachment being sent to help at yourdomain.org could appear as
> help at yourdomain.zip, yourdomain.exe or some other variation of this
> naming scheme)
> 
> Review the links provided below for updated information as additional
> details become available.
> 
> 
> POSSIBLE MITIGATION
> 
> Ensure that all systems are deploying updated virus protection
> software.
> 
> 
> REFERENCE INFORMATION/VENDOR/CVE/BUGTRAQ
> 
> http://vil.nai.com/vil/content/v_127033.htm
> http://www.f-secure.com/v-descs/mydoom_m.shtml
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_M
> YDOOM.M
> 
> 
> COUNTERPANE RESPONSE
> 
> Counterpane is continuing to monitor this situation.  Counterpane has
> seen minimal impact across the customer base at the time of
> publication.  For customer's using Counterpane's Firewall/IDS Device
> Management, or Active Response, configurations have been verified or
> updated based on business guidelines that are in place.
> 
> Counterpane Internet Security is happy to answer any questions you
> may have regarding this report, and we thank you for your continued
> support.
> 
> Counterpane Customer Service: 1-888-710-8171
> 
> 
> LEGAL NOTICES
> 
> Copyright (c) 2004 Counterpane Internet Security
> 
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of Counterpane. If you wish to reprint the whole or
> any part of this alert in any other medium other than electronically,
> please email customerservice at counterpane.com for permission.
> 
> Disclaimer: The information contained within this Security Alert is
> provided for informational purposes and without warranty. Counterpane
> recommends consulting your security policy when responding to this or
> any security-related event. Counterpane also recommends testing any
> vendor-recommended countermeasures prior to their deployment in a
> production environment. The information in the advisory is believed
> to be accurate at the time of publishing based on currently available
> information. Use of the information constitutes acceptance for use in
> an AS IS condition.  There are no warranties with regard to this
> information. Neither the author nor the publisher accepts any
> liability for any direct, indirect, or consequential loss or damage
> arising from use of, or reliance on, this information.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.1
> 
> iQA/AwUBQQUtDy1c2J4oiDLuEQI1hgCgrYqueKXBOtKwSYX6Ci1brnFOgJsAoMxs
> KD5bgM9Lv9UB+NArVq1YSLB+
> =P6Gd
> -----END PGP SIGNATURE-----
> 
> 
> --
> Brian Eckman
> Security Analyst
> OIT Security and Assurance
> University of Minnesota
> 
> "There are 10 types of people in this world. Those who
> understand binary and those who don't."
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 



More information about the unisog mailing list