[unisog] New virus worm [gibberish mail with attached gif]??

Mike Honeycutt honeycutt at unca.edu
Thu Mar 23 15:38:40 GMT 2006


I've seen similar messages.  As far as I can tell, it is just a new
form of spam.  The gibberish in the body of the email seems designed
to make people curious.  Likewise, the attachments I've seen generally have
names like "Ooops" and "Sorry" which I also assume is to make people
open the attachment.

Does anyone have any additional information?

Mike Honeycutt
UNC Asheville

==============



-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Reg Quinton
Sent: Thursday, March 23, 2006 9:47 AM
To: unisog at lists.sans.org
Subject: [unisog] New virus worm [gibberish mail with attached gif]??

I wonder if anyone knows what's going on. We've seen a number of systems 
start spewing e-mail (most on resnet). When this happens they're quickly 
isolated. I've seen some of the mail they were spewing (AOL kindly bounces 
it back as spam) and have received the same mail from other sites around the

world (I  assume therefore a massing mailing worm of some sort and not a 
local problem).

The mail is multipart  mime, seems to have been generated by Microsoft 
Outlook Express,  with a forged Received header (for the same network), 
forged From: (off site address), random gibberish Subject and content using 
real English words (in both plain text and html) and an attached .gif with 
various names.

I assume the gif is malicious -- else why would they send it and why am I 
seeing machines spewing mail?

The mail is getting past our ClamAV mail checker (it's getting to my 
mailbox) and Norton/Symantec AV on the workstation so it doesn't *look* 
malicious... my guess is it must be.

Anyone seen this or something similar?

I am, Reg Quinton <reggers at ist.uwaterloo.ca>
      Senior Technologist, Security
      Information Systems and Technology
      University of Waterloo, 200 University Ave W
      Waterloo, Ontario N2L 3G1 Canada
      +1 519 888-4567x6070

_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list