[unisog] New virus

Goverts IV, Paul pgoverts at sjfc.edu
Tue Nov 22 15:17:54 GMT 2005


I was wondering if anyone had seen anything like this today....

 

We have been seeing a new virus going around this morning that is coming
in via an email appearing to be from "webmaster" "register" and "admin"
@(WhateverDomainIsBeingTargeted).  It tells users to click on the
attachment which is an .scr file disguised as an .htm file (inside a zip
file).  When the attachment is run, the virus disables Symantec
Antivirus, Task Manager, and Ethereal.  It then runs a program
(C:\Windows\system32\Win32IMAPSVR.EXE) which opens a connection to
208.57.228.66:27999 apparently to wait for instructions.  Our GFI
antivirus on our mail servers didn't start filtering this out until
about 8:30am this morning, and the latest definitions from Symantec
(11/21/05 rev 6) do not detect this yet. Anyone else seeing this?

 

Paul

 

Paul Goverts IV
Computer Services
St. John Fisher College
Rochester, NY 14618

"Ask yourself - Where are you going?  Who is going with you?"  -- "Col."
Gordon Shay

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20051122/aaeba6c2/attachment-0001.htm


More information about the unisog mailing list