[unisog] New virus worm [gibberish mail with attached gif]??
bambenek at control.csl.uiuc.edu
Thu Mar 23 15:10:14 GMT 2006
Send me the email direct, I'll take a look. Zip with pass so my virus
scanner doesn't go apeshit.
On Thu, 23 Mar 2006, Reg Quinton wrote:
> I wonder if anyone knows what's going on. We've seen a number of systems
> start spewing e-mail (most on resnet). When this happens they're quickly
> isolated. I've seen some of the mail they were spewing (AOL kindly bounces
> it back as spam) and have received the same mail from other sites around the
> world (I assume therefore a massing mailing worm of some sort and not a
> local problem).
> The mail is multipart mime, seems to have been generated by Microsoft
> Outlook Express, with a forged Received header (for the same network),
> forged From: (off site address), random gibberish Subject and content using
> real English words (in both plain text and html) and an attached .gif with
> various names.
> I assume the gif is malicious -- else why would they send it and why am I
> seeing machines spewing mail?
> The mail is getting past our ClamAV mail checker (it's getting to my
> mailbox) and Norton/Symantec AV on the workstation so it doesn't *look*
> malicious... my guess is it must be.
> Anyone seen this or something similar?
> I am, Reg Quinton <reggers at ist.uwaterloo.ca>
> Senior Technologist, Security
> Information Systems and Technology
> University of Waterloo, 200 University Ave W
> Waterloo, Ontario N2L 3G1 Canada
> +1 519 888-4567x6070
> unisog mailing list
> unisog at lists.sans.org
More information about the unisog