[unisog] New Virus
brennan at columbia.edu
Tue Dec 6 19:42:40 GMT 2005
> We have been seeing a new virus going around this morning that is coming
> in via an email appearing to be from "webmaster" "register" and "admin"
> @(WhateverDomainIsBeingTargeted). It tells users to click on the
> attachment which is an .scr file disguised as an .htm file (inside a zip
> file). When the attachment is run, the virus disables Symantec
> Antivirus, Task Manager, and Ethereal. It then runs a program
> (C:\Windows\system32\Win32IMAPSVR.EXE) which opens a connection to
> 126.96.36.199:27999 apparently to wait for instructions. Our GFI
> antivirus on our mail servers didn't start filtering this out until
> about 8:30am this morning, and the latest definitions from Symantec
> (11/21/05 rev 6) do not detect this yet. Anyone else seeing this?
If you rejected mail from webmaster@, register@, and admin@ your
domain, which have been virus favorites for years, you wouldn't
be too aware of it. That's obviously not a full defense but it
quickly swats away some of the stuff.
We've had 2,930 from register at columbia.edu in the past 10 hours
compared to normal 2,300 in 24 hours, so yes something's happening
postmaster at columbia.edu
More information about the unisog