[unisog] New virus worm [gibberish mail with attached gif]??

John Bambenek bambenek at control.csl.uiuc.edu
Thu Mar 23 15:10:14 GMT 2006

Send me the email direct, I'll take a look.  Zip with pass so my virus 
scanner doesn't go apeshit.


On Thu, 23 Mar 2006, Reg Quinton wrote:

> I wonder if anyone knows what's going on. We've seen a number of systems
> start spewing e-mail (most on resnet). When this happens they're quickly
> isolated. I've seen some of the mail they were spewing (AOL kindly bounces
> it back as spam) and have received the same mail from other sites around the
> world (I  assume therefore a massing mailing worm of some sort and not a
> local problem).
> The mail is multipart  mime, seems to have been generated by Microsoft
> Outlook Express,  with a forged Received header (for the same network),
> forged From: (off site address), random gibberish Subject and content using
> real English words (in both plain text and html) and an attached .gif with
> various names.
> I assume the gif is malicious -- else why would they send it and why am I
> seeing machines spewing mail?
> The mail is getting past our ClamAV mail checker (it's getting to my
> mailbox) and Norton/Symantec AV on the workstation so it doesn't *look*
> malicious... my guess is it must be.
> Anyone seen this or something similar?
> I am, Reg Quinton <reggers at ist.uwaterloo.ca>
>      Senior Technologist, Security
>      Information Systems and Technology
>      University of Waterloo, 200 University Ave W
>      Waterloo, Ontario N2L 3G1 Canada
>      +1 519 888-4567x6070
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list