[unisog] New virus

Stasiniewicz, Adam stasinia at msoe.edu
Tue Dec 6 16:54:35 GMT 2005


Sounds like the latest Mytob.

Also, a great day-zero defense against this is Sender Policy Framework (SPF).  Especially on the ones that appear to come from your own domain.  For more info visit: http://www.openspf.org/  

Regards,
Adam Stasiniewicz
Computer and Communication Services Department 
Milwaukee School of Engineering


_______________________________________
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org] On Behalf Of Goverts IV, Paul
Sent: Tuesday, November 22, 2005 9:18 AM
To: unisog at lists.sans.org
Subject: [unisog] New virus

I was wondering if anyone had seen anything like this today....

We have been seeing a new virus going around this morning that is coming in via an email appearing to be from "webmaster" "register" and "admin" @(WhateverDomainIsBeingTargeted).  It tells users to click on the attachment which is an .scr file disguised as an .htm file (inside a zip file).  When the attachment is run, the virus disables Symantec Antivirus, Task Manager, and Ethereal.  It then runs a program (C:\Windows\system32\Win32IMAPSVR.EXE) which opens a connection to 208.57.228.66:27999 apparently to wait for instructions.  Our GFI antivirus on our mail servers didn't start filtering this out until about 8:30am this morning, and the latest definitions from Symantec (11/21/05 rev 6) do not detect this yet. Anyone else seeing this?

Paul

Paul Goverts IV
Computer Services
St. John Fisher College
Rochester, NY 14618

"Ask yourself - Where are you going?  Who is going with you?"  -- "Col." Gordon Shay




More information about the unisog mailing list