[unisog] New virus worm [gibberish mail with attached gif]??

Reg Quinton reggers at ist.uwaterloo.ca
Mon Mar 27 15:17:36 GMT 2006


A chum investigating a machine that was seen sending this spam was found to 
have a root kit documented at Symantec:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.abwiz.f.html

Step 9 in the description says the rootkit can be used to send spam.

So, if you receive the spam it's not terribly dangerous. But there's good 
evidence that the sending system may have a root kit.

----- Original Message ----- 
From: "Mike Honeycutt" <honeycutt at unca.edu>
To: "'UNIversity Security Operations Group'" <unisog at lists.sans.org>
Sent: Thursday, March 23, 2006 10:38 AM
Subject: Re: [unisog] New virus worm [gibberish mail with attached gif]??


>
> I've seen similar messages.  As far as I can tell, it is just a new
> form of spam.  The gibberish in the body of the email seems designed
> to make people curious.  Likewise, the attachments I've seen generally 
> have
> names like "Ooops" and "Sorry" which I also assume is to make people
> open the attachment.
>
> Does anyone have any additional information?
>
> Mike Honeycutt
> UNC Asheville
>
> ==============
>
>
>
> -----Original Message-----
> From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
> On Behalf Of Reg Quinton
> Sent: Thursday, March 23, 2006 9:47 AM
> To: unisog at lists.sans.org
> Subject: [unisog] New virus worm [gibberish mail with attached gif]??
>
> I wonder if anyone knows what's going on. We've seen a number of systems
> start spewing e-mail (most on resnet). When this happens they're quickly
> isolated. I've seen some of the mail they were spewing (AOL kindly bounces
> it back as spam) and have received the same mail from other sites around 
> the
>
> world (I  assume therefore a massing mailing worm of some sort and not a
> local problem).
>
> The mail is multipart  mime, seems to have been generated by Microsoft
> Outlook Express,  with a forged Received header (for the same network),
> forged From: (off site address), random gibberish Subject and content 
> using
> real English words (in both plain text and html) and an attached .gif with
> various names.
>
> I assume the gif is malicious -- else why would they send it and why am I
> seeing machines spewing mail?
>
> The mail is getting past our ClamAV mail checker (it's getting to my
> mailbox) and Norton/Symantec AV on the workstation so it doesn't *look*
> malicious... my guess is it must be.
>
> Anyone seen this or something similar?
>
> I am, Reg Quinton <reggers at ist.uwaterloo.ca>
>      Senior Technologist, Security
>      Information Systems and Technology
>      University of Waterloo, 200 University Ave W
>      Waterloo, Ontario N2L 3G1 Canada
>      +1 519 888-4567x6070
>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 



More information about the unisog mailing list