[unisog] New virus - not caught by central servers (fwd)
brennan at columbia.edu
Mon Jul 26 20:15:39 GMT 2004
Yes, something started happening this morning.
Stopped by rejecting mail with executables and zip files.
Stopped by rejecting mail with envelope sender set to
<postmaster at yourdomain> and <mailer-daemon at yourdomain>. E.g. we
reject mail claiming to be from <postmaster at columbia.edu> and
<mailer-daemon at columbia.edu>. This has caught several Mydoom
variants and some other fakery-- worth doing.
The one thing we are seeing here is bounces of mail from
non-columbia.edu hosts that were willing to relay mail e.g.
from postmaster at columbia.edu to an address here; we reject
the mail from postmaster but then postmaster gets the bounce.
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
--On Monday, July 26, 2004 12:40 PM -0500 Brian Haskell
<haskell at tc.umn.edu> wrote:
>> From the U Minnesota computer gurus:
> ---------- Forwarded message ----------
> Date: Mon, 26 Jul 2004 11:22:31 -0500 (CDT)
> Subject: New virus - not caught by central servers
> Hey all,
> There's a new virus out, which isn't yet caught by the central servers.
> Please don't open any attachments you're not expecting! More details
> ---------- Forwarded message ----------
> Date: Mon, 26 Jul 2004 11:14:21 -0500
> From: Brian Eckman <eckman at umn.edu>
> Reply-To: "umn-antivirus: Forum for exchanging information about fighting
> computer viruses" <UMN-ANTIVIRUS at LISTS.UMN.EDU>
> To: UMN-ANTIVIRUS at LISTS.UMN.EDU
> Subject: [Fwd: Counterpane Internet Security; Virus Alert; MyDoom.M;
> We are starting to see this on campus. AFAIK, the central servers cannot
> detect this as virus signatures don't seem to have been released yet....
> COUNTERPANE REFERENCE CIS20040726-1
> TITLE MyDoom.M
> DATE DISCOVERED July 13, 2004
> VULNERABILITY/EVENT SUMMARY
> Counterpane has received information pertaining to a Windows-based
> variant of the MyDoom worm, known as MyDoom.M, that spreads via email
> using SMTP. The variant harvests recipient email addresses from the
> infected system and also fake's the sender address using the same
> harvested list. This worm is being called 'MyDoom.o' by McAfee.
> THREAT CLASSIFICATION
> The MyDoom variant is currently being sent through the mail systems
> utilizing the following Subject lines:
> The original message was included as attachment The/Your
> m/Message could not be delivered
> hi error
> delivery failed
> Message could not be delivered
> Mail System Error - Returned Mail
> Delivery reports about your e-mail
> Returned mail: see transcript for details
> Returned mail: Data format error
> The variant also contains an attachment that comes in the form of a
> .zip, .com, .scr, .exe, .pif, or .bat file. The filename is
> delivered as a variation of the destination domain. (i.e. an
> attachment being sent to help at yourdomain.org could appear as
> help at yourdomain.zip, yourdomain.exe or some other variation of this
> naming scheme)
> Review the links provided below for updated information as additional
> details become available.
> POSSIBLE MITIGATION
> Ensure that all systems are deploying updated virus protection
> REFERENCE INFORMATION/VENDOR/CVE/BUGTRAQ
> COUNTERPANE RESPONSE
> Counterpane is continuing to monitor this situation. Counterpane has
> seen minimal impact across the customer base at the time of
> publication. For customer's using Counterpane's Firewall/IDS Device
> Management, or Active Response, configurations have been verified or
> updated based on business guidelines that are in place.
> Counterpane Internet Security is happy to answer any questions you
> may have regarding this report, and we thank you for your continued
> Counterpane Customer Service: 1-888-710-8171
> LEGAL NOTICES
> Copyright (c) 2004 Counterpane Internet Security
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of Counterpane. If you wish to reprint the whole or
> any part of this alert in any other medium other than electronically,
> please email customerservice at counterpane.com for permission.
> Disclaimer: The information contained within this Security Alert is
> provided for informational purposes and without warranty. Counterpane
> recommends consulting your security policy when responding to this or
> any security-related event. Counterpane also recommends testing any
> vendor-recommended countermeasures prior to their deployment in a
> production environment. The information in the advisory is believed
> to be accurate at the time of publishing based on currently available
> information. Use of the information constitutes acceptance for use in
> an AS IS condition. There are no warranties with regard to this
> information. Neither the author nor the publisher accepts any
> liability for any direct, indirect, or consequential loss or damage
> arising from use of, or reliance on, this information.
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.1
> -----END PGP SIGNATURE-----
> Brian Eckman
> Security Analyst
> OIT Security and Assurance
> University of Minnesota
> "There are 10 types of people in this world. Those who
> understand binary and those who don't."
> unisog mailing list
> unisog at lists.sans.org
More information about the unisog