[unisog] New virus
stasinia at msoe.edu
Tue Dec 6 16:54:35 GMT 2005
Sounds like the latest Mytob.
Also, a great day-zero defense against this is Sender Policy Framework (SPF). Especially on the ones that appear to come from your own domain. For more info visit: http://www.openspf.org/
Computer and Communication Services Department
Milwaukee School of Engineering
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org] On Behalf Of Goverts IV, Paul
Sent: Tuesday, November 22, 2005 9:18 AM
To: unisog at lists.sans.org
Subject: [unisog] New virus
I was wondering if anyone had seen anything like this today....
We have been seeing a new virus going around this morning that is coming in via an email appearing to be from "webmaster" "register" and "admin" @(WhateverDomainIsBeingTargeted). It tells users to click on the attachment which is an .scr file disguised as an .htm file (inside a zip file). When the attachment is run, the virus disables Symantec Antivirus, Task Manager, and Ethereal. It then runs a program (C:\Windows\system32\Win32IMAPSVR.EXE) which opens a connection to 188.8.131.52:27999 apparently to wait for instructions. Our GFI antivirus on our mail servers didn't start filtering this out until about 8:30am this morning, and the latest definitions from Symantec (11/21/05 rev 6) do not detect this yet. Anyone else seeing this?
Paul Goverts IV
St. John Fisher College
Rochester, NY 14618
"Ask yourself - Where are you going? Who is going with you?" -- "Col." Gordon Shay
More information about the unisog