[unisog] New virus

Stejerean, Cosmin cosmin at cti.depaul.edu
Wed Dec 7 00:20:07 GMT 2005


Same thing happened to a post I sent a couple of weeks ago. I reappared on
the list yesterday at 8:52PM.

 

Anyone know what could be the cause of this?

 

 

Cosmin

  _____  

From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Goverts IV, Paul
Sent: Tuesday, December 06, 2005 2:59 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] New virus

 

This is weird, I already sent this email about 2 weeks ago, somehow it
hiccupped back out again?

 

Paul

 

Paul Goverts IV
Computer Services
St. John Fisher College
Rochester, NY 14618

"Ask yourself - Where are you going?  Who is going with you?"  -- "Col."
Gordon Shay

  _____  

From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Goverts IV, Paul
Sent: Tuesday, November 22, 2005 10:18 AM
To: unisog at lists.sans.org
Subject: [unisog] New virus

 

I was wondering if anyone had seen anything like this today..

 

We have been seeing a new virus going around this morning that is coming in
via an email appearing to be from "webmaster" "register" and "admin"
@(WhateverDomainIsBeingTargeted).  It tells users to click on the attachment
which is an .scr file disguised as an .htm file (inside a zip file).  When
the attachment is run, the virus disables Symantec Antivirus, Task Manager,
and Ethereal.  It then runs a program (C:\Windows\system32\Win32IMAPSVR.EXE)
which opens a connection to 208.57.228.66:27999 apparently to wait for
instructions.  Our GFI antivirus on our mail servers didn't start filtering
this out until about 8:30am this morning, and the latest definitions from
Symantec (11/21/05 rev 6) do not detect this yet. Anyone else seeing this?

 

Paul

 

Paul Goverts IV
Computer Services
St. John Fisher College
Rochester, NY 14618

"Ask yourself - Where are you going?  Who is going with you?"  -- "Col."
Gordon Shay

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20051206/b129f5d1/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3726 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20051206/b129f5d1/smime-0001.bin


More information about the unisog mailing list