Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Worm.SCO.A

From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Thu, 29 Jan 2004 10:00:16 -0800
Worm.SCO.A maps to Novarg (F-Secure), W32.Novarg.A@mm (Symantec),
W32/Mydoom.a@MM, Win32.Mydoom.A (CA), Win32/Shimg (CA), WORM_MIMAIL.R
(Trend). It is not a MIMAIL variant as Trend Micro suspected so AV DEF
looking for MIMAIL and the ilk will miss the virii. I haven't received
any Mydoom.B virii so I don't know what ClamAV will call that
(Worm.SCO.B or Worm.MICROSOFT.A, whatever).

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
             (800) 325-1199 x338



-----Original Message-----
From: Hamish Stanaway [mailto:koremeltdown () hotmail com] 
Sent: Wednesday, January 28, 2004 2:05 AM
To: Shawn Jackson; security-basics () securityfocus com
Subject: RE: Worm.SCO.A


Hi there,

I just wanted to let Shawn and others know that you are not alone, I too

have recieved several copies of this mail in the past 24 hours, and am 
beginning to wonder what it is.

Kindest of regards,

Hamish Stanaway

Absolute Web Hosting
Owner/Operator
Auckland
New Zealand

http://www.webhosting.net.nz
http://www.buywebhosting.co.nz






From: "Shawn Jackson" <sjackson () horizonusa com>
To: <security-basics () securityfocus com>
Subject: Worm.SCO.A
Date: Mon, 26 Jan 2004 14:38:23 -0800
MIME-Version: 1.0
Received: from outgoing2.securityfocus.com ([205.206.231.26]) by
mc8-f31.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Wed, 28 Jan

2004 

00:55:31 -0800
Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid 
796F08F81A; Tue, 27 Jan 2004 10:41:15 -0700 (MST)
Received: (qmail 26490 invoked from network); 26 Jan 2004 23:04:45

-0000

X-Message-Info: 6sSXyD95QpVARocLih1tSEi4bFjjlIQ9
Mailing-List: contact security-basics-help () securityfocus com; run by

ezmlm

Precedence: bulk
List-Id: <security-basics.list-id.securityfocus.com>
List-Post: <mailto:security-basics () securityfocus com>
List-Help: <mailto:security-basics-help () securityfocus com>
List-Unsubscribe:

<mailto:security-basics-unsubscribe () securityfocus com>

List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
Delivered-To: mailing list security-basics () securityfocus com
Delivered-To: moderator for security-basics () securityfocus com
content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Message-ID: <EA4A7785EECF644493D88EB58A80992D8DFA9C () hzmail horizon lcl>
X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Worm.SCO.A
Thread-Index: AcPkUphWt8utkfEfQyGl0VstP6ZDrwAAr/nwAAGI2jA=
X-Virus-Scanned: HorizonUSA Mail Security System
Return-Path: 
security-basics-return-26478-koremeltdown=hotmail.com () securityfocus com
X-OriginalArrivalTime: 28 Jan 2004 08:55:31.0563 (UTC) 
FILETIME=[7C00ABB0:01C3E57C]


      Anyone else encountering this? I've just got hammered with a few



hundred of these in the last hour and a half and I can't quite discern 
what exactly the virii is. There doesn't seam to be a map from ClamAV 
virus naming format to any other. Anyone have a clue of what this virus



is?

      I looked at the quarantine, and it seamed to be just the virii

payload 

and no content, file.pif.exe. I've also seen it as a file.zip, doc.zip,



document.zip, document.pif, rhn.scr, data.zip, message.zip, test.zip. 
There could be more, but I just don't have the time to check the 
payload on all the messages.

-------------------AMAVIS REPORT------------------
A virus (Worm.SCO.A) was found.

Two banned names (file.pif, .exe) were found.

Scanner detecting a virus: Clam Antivirus-clamd

The mail originated from: <ctccyc () aol com>

According to the 'Received:' trace, the message originated at:
   aol.com (unknown [12.9.171.xxx])

The message WAS NOT delivered to:
<xxx () horizonusa com>:
   550 5.7.1 Message content rejected, id=28441-07 - VIRUS: Worm.SCO.A

Virus scanner output:
   /var/amavisd/tmp/amavis-20040126T141220-28441/parts/part-00002:
Worm.SCO.A FOUND

The message has been quarantined as:
   /var/amavisd/quarantine/virus-20040126-141800-28441-07

------------------------- BEGIN HEADERS -----------------------------
Return-Path: <xxxxx () aol com>
Received: from aol.com (unknown [12.9.171.xxx])
      by mta1.horizonusa.com (Postfix) with ESMTP id DFA572D8106
      for <ted () horizonusa com>; Mon, 26 Jan 2004 14:17:59 -0800 (PST)
From: xxxx () aol com
To: xxx () horizonusa com
Subject:
Date: Mon, 26 Jan 2004 14:17:47 -0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
      boundary="----=_NextPart_000_0010_465EEF13.4CF1817C"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040126221759.DFA572D8106 () mta1 horizonusa com>
-------------------------- END HEADERS ------------------------------

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
             (800) 325-1199 x338

-----------------------------------------------------------------------
----
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off

any

course! All of our class sizes are guaranteed to be 10 students or

less.

We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion

Prevention,

and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720

off

any course!
-----------------------------------------------------------------------

-----




_________________________________________________________________
Find high-speed 'net deals - comparison-shop your local providers here. 
https://broadband.msn.com


------------------------------------------------------------------------
---
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
any 
course! All of our class sizes are guaranteed to be 10 students or less.

We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720
off 
any course!  
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: