[unisog] New virus worm [gibberish mail with attached gif]??

Reg Quinton reggers at ist.uwaterloo.ca
Thu Mar 23 14:46:43 GMT 2006

I wonder if anyone knows what's going on. We've seen a number of systems 
start spewing e-mail (most on resnet). When this happens they're quickly 
isolated. I've seen some of the mail they were spewing (AOL kindly bounces 
it back as spam) and have received the same mail from other sites around the 
world (I  assume therefore a massing mailing worm of some sort and not a 
local problem).

The mail is multipart  mime, seems to have been generated by Microsoft 
Outlook Express,  with a forged Received header (for the same network), 
forged From: (off site address), random gibberish Subject and content using 
real English words (in both plain text and html) and an attached .gif with 
various names.

I assume the gif is malicious -- else why would they send it and why am I 
seeing machines spewing mail?

The mail is getting past our ClamAV mail checker (it's getting to my 
mailbox) and Norton/Symantec AV on the workstation so it doesn't *look* 
malicious... my guess is it must be.

Anyone seen this or something similar?

I am, Reg Quinton <reggers at ist.uwaterloo.ca>
      Senior Technologist, Security
      Information Systems and Technology
      University of Waterloo, 200 University Ave W
      Waterloo, Ontario N2L 3G1 Canada
      +1 519 888-4567x6070

More information about the unisog mailing list