[unisog] New Virus

rhermida@panam.edu rhermida at panam.edu
Tue Dec 6 17:18:33 GMT 2005


Yes, this is part of a new AIM worm:

   http://isc.sans.org/diary.php?storyid=917


Regards

-RH

--
Ramon Hermida
Information Security Specialist
The University of Texas Pan American

---------

I was wondering if anyone had seen anything like this today....

 

We have been seeing a new virus going around this morning that is coming
in via an email appearing to be from "webmaster" "register" and "admin"
@(WhateverDomainIsBeingTargeted).  It tells users to click on the
attachment which is an .scr file disguised as an .htm file (inside a zip
file).  When the attachment is run, the virus disables Symantec
Antivirus, Task Manager, and Ethereal.  It then runs a program
(C:\Windows\system32\Win32IMAPSVR.EXE) which opens a connection to
208.57.228.66:27999 apparently to wait for instructions.  Our GFI
antivirus on our mail servers didn't start filtering this out until
about 8:30am this morning, and the latest definitions from Symantec
(11/21/05 rev 6) do not detect this yet. Anyone else seeing this?

 

Paul

 

Paul Goverts IV
Computer Services
St. John Fisher College
Rochester, NY 14618

"Ask yourself - Where are you going?  Who is going with you?"  -- "Col."
Gordon Shay


More information about the unisog mailing list