Home page logo
/

nanog logo nanog mailing list archives

Re: Worm probes
From: "Bill Larson" <blarson () compu net>
Date: Tue, 18 Sep 2001 12:06:18 -0500


It is worse than that. The virus is passing it's self off as audio/x-wav;


----- Original Message -----
From: "Jim Seymour"
Newsgroups: spamcop.geeks
Sent: Tuesday, September 18, 2001 11:10 AM
Subject: New Virus/Worm Email


I just received an interesting email.  It made it past my virus filters,
but a
report on the NTBugTraq mailing list is reporting it as some kind of
unknown
worm that attacks IIS machines.

The message itself uses an attachment with a content type of audio/x-wav,
but
with a name of "readme.exe".  I've got the security settings tightened
down, but
even so, Outlook Express asked me whether I wanted to open the embedded
attachment.

Here is the email that I received (without the encoded attachment, of
course).
Note the long Subject line and the HTML iframe that refers to local
content.
Keep you eye on this one...

--
Jim Seymour

-----------------------------------------------------------------------

Received: from TGLNT (mail.tricongroup.com [206.206.91.131]) by
mail.cipher.com
 with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
 id SVNKL1PC; Tue, 18 Sep 2001 08:15:28 -0700
From: <3dzvi51gehej () 4ax com>
Subject:

Xtoprecvranalyzerdiskstrreadmec2supprttablecoltoprecvraps32analyzerdefaultus
ergr
pcinforccidbutilappevent
MIME-Version: 1.0
Content-Type: multipart/related;
 type="multipart/alternative";
 boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
 boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
 charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
 name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>






  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]