[unisog] New virus - not caught by central servers (fwd)

Joseph Brennan brennan at columbia.edu
Mon Jul 26 20:15:39 GMT 2004

Yes, something started happening this morning.

Stopped by rejecting mail with executables and zip files.

Stopped by rejecting mail with envelope sender set to
<postmaster at yourdomain> and <mailer-daemon at yourdomain>.  E.g. we
reject mail claiming to be from <postmaster at columbia.edu> and
<mailer-daemon at columbia.edu>.  This has caught several Mydoom
variants and some other fakery-- worth doing.

The one thing we are seeing here is bounces of mail from
non-columbia.edu hosts that were willing to relay mail e.g.
from postmaster at columbia.edu to an address here; we reject
the mail from postmaster but then postmaster gets the bounce.

Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York

--On Monday, July 26, 2004 12:40 PM -0500 Brian Haskell 
<haskell at tc.umn.edu> wrote:

>> From the U Minnesota computer gurus:
> ---------- Forwarded message ----------
> Date: Mon, 26 Jul 2004 11:22:31 -0500 (CDT)
> Subject: New virus - not caught by central servers
> Hey all,
> There's a new virus out, which isn't yet caught by the central servers.
> Please don't open any attachments you're not expecting! More details
> below.
> ---------- Forwarded message ----------
> Date: Mon, 26 Jul 2004 11:14:21 -0500
> From: Brian Eckman <eckman at umn.edu>
> Reply-To: "umn-antivirus: Forum for exchanging information about fighting
>                computer viruses" <UMN-ANTIVIRUS at LISTS.UMN.EDU>
> Subject: [Fwd: Counterpane Internet Security; Virus Alert; MyDoom.M;
>           CIS20040726-1]
> We are starting to see this on campus. AFAIK, the central servers cannot
> detect this as virus signatures don't seem to have been released yet....
> Brian
> TITLE                           MyDoom.M
> DATE DISCOVERED         July 13, 2004
> Counterpane has received information pertaining to a Windows-based
> variant of the MyDoom worm, known as MyDoom.M, that spreads via email
> using SMTP.  The variant harvests recipient email addresses from the
> infected system and also fake's the sender address using the same
> harvested list.  This worm is being called 'MyDoom.o' by McAfee.
> Virus/Worm
> The MyDoom variant is currently being sent through the mail systems
> utilizing the following Subject lines:
>          The original message was included as attachment The/Your
> m/Message could not be delivered
>          hello
>          hi error
>          status
>          test
>          report
>          delivery failed
>          Message could not be delivered
>          Mail System Error - Returned Mail
>          Delivery reports about your e-mail
>          Returned mail: see transcript for details
>          Returned mail: Data format error
> The variant also contains an attachment that comes in the form of a
> .zip, .com, .scr, .exe, .pif, or .bat file.  The filename is
> delivered as a variation of the destination domain.  (i.e. an
> attachment being sent to help at yourdomain.org could appear as
> help at yourdomain.zip, yourdomain.exe or some other variation of this
> naming scheme)
> Review the links provided below for updated information as additional
> details become available.
> Ensure that all systems are deploying updated virus protection
> software.
> http://vil.nai.com/vil/content/v_127033.htm
> http://www.f-secure.com/v-descs/mydoom_m.shtml
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_M
> Counterpane is continuing to monitor this situation.  Counterpane has
> seen minimal impact across the customer base at the time of
> publication.  For customer's using Counterpane's Firewall/IDS Device
> Management, or Active Response, configurations have been verified or
> updated based on business guidelines that are in place.
> Counterpane Internet Security is happy to answer any questions you
> may have regarding this report, and we thank you for your continued
> support.
> Counterpane Customer Service: 1-888-710-8171
> Copyright (c) 2004 Counterpane Internet Security
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of Counterpane. If you wish to reprint the whole or
> any part of this alert in any other medium other than electronically,
> please email customerservice at counterpane.com for permission.
> Disclaimer: The information contained within this Security Alert is
> provided for informational purposes and without warranty. Counterpane
> recommends consulting your security policy when responding to this or
> any security-related event. Counterpane also recommends testing any
> vendor-recommended countermeasures prior to their deployment in a
> production environment. The information in the advisory is believed
> to be accurate at the time of publishing based on currently available
> information. Use of the information constitutes acceptance for use in
> an AS IS condition.  There are no warranties with regard to this
> information. Neither the author nor the publisher accepts any
> liability for any direct, indirect, or consequential loss or damage
> arising from use of, or reliance on, this information.
> Version: PGP 8.1
> iQA/AwUBQQUtDy1c2J4oiDLuEQI1hgCgrYqueKXBOtKwSYX6Ci1brnFOgJsAoMxs
> KD5bgM9Lv9UB+NArVq1YSLB+
> =P6Gd
> --
> Brian Eckman
> Security Analyst
> OIT Security and Assurance
> University of Minnesota
> "There are 10 types of people in this world. Those who
> understand binary and those who don't."
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list