[unisog] New virus

PaulFM paulfm at me.umn.edu
Tue Dec 6 16:53:46 GMT 2005


Report it here:
https://forms.us-cert.gov/report/


Since it connects to a specific machine, they may be able to track down the 
person responsible.


Goverts IV, Paul wrote:
> I was wondering if anyone had seen anything like this today....
> 
>  
> 
> We have been seeing a new virus going around this morning that is coming
> in via an email appearing to be from "webmaster" "register" and "admin"
> @(WhateverDomainIsBeingTargeted).  It tells users to click on the
> attachment which is an .scr file disguised as an .htm file (inside a zip
> file).  When the attachment is run, the virus disables Symantec
> Antivirus, Task Manager, and Ethereal.  It then runs a program
> (C:\Windows\system32\Win32IMAPSVR.EXE) which opens a connection to
> 208.57.228.66:27999 apparently to wait for instructions.  Our GFI
> antivirus on our mail servers didn't start filtering this out until
> about 8:30am this morning, and the latest definitions from Symantec
> (11/21/05 rev 6) do not detect this yet. Anyone else seeing this?
> 
>  
> 
> Paul
> 
>  
> 
> Paul Goverts IV
> Computer Services
> St. John Fisher College
> Rochester, NY 14618
> 
> "Ask yourself - Where are you going?  Who is going with you?"  -- "Col."
> Gordon Shay
> 
>  
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------


More information about the unisog mailing list