[Esa-l] Heads up, new virus...

Andre Kajita - Administrador da Rede admin at camarasjc.sp.gov.br
Thu Nov 16 11:06:17 PST 2000


Greets,

I just got this notice and added the EXE (myromeo.exe) to the poisoned
list.

-------- Original Message --------
From: Piotr Klaban <makler at MAN.TORUN.PL>
Subject: new virus - myromeo
To: INCIDENTS at SECURITYFOCUS.COM

Hi,

Our nets were affected by the mail new virus - myromeo/myjuliet.
This would not be recognized by the e.g. AVP with current virus
database.
Maybe you need to block it "by hand".

WHAT IT DOES TO THE COMPUTER:

Since I do not use Windows frequently, I do not know if this virus
does something bad to the computer. I have only information described
below.

HOW IT WORKS:

The mail opens an html page, and magicaly runs the exe part. After
that
it spreads across the net with mailing itself by connecting to the
following
smtp sites (it seems they are open relays):
  212.244.199.2 - gate.panoramix.net.pl (down for now)
  195.117.152.91 - dns.inter-grafix.com.pl (do not answer.
overloaded?)
  195.116.62.86 - madmax.quadrosoft.com
  194.153.216.60 - mail1.getin.pl (open relay)

madmax is not an open relay now, but it was yesterday (?):

<from the mail>
  Received: from kmgwza (xxx [ip-num])
        by madmax.quadrosoft.com (8.9.3/8.9.3) with SMTP id KAA11833;
        Wed, 15 Nov 2000 10:03:25 +0100
</from the mail>

getin.pl is an open relay and responses with the following line:
220-mail1.getin.pl Microsoft SMTP MAIL ready at Thu, 16 Nov 2000 ... \
  Version: 5.5.1877.357.35


VIRUS MAIL:

There are a few attachments in the virus mail:
  1 no description>                         [multipa/alternativ, 7bit,
0.7K]
  2 +-><no description>                 [text/plain, quoted,
iso-8859-2, 0K]
  3 +-><no description>                [text/html, quoted, iso-8859-2,
0.4K]
  4 myromeo.exe                            [applica/x-msdownlo,
base64, 38K]
  5 myjuliet.chm                          [applica/octet-stre, base64,
8.5K]

myromeo.exe is packed with UPX (very good pack utility).
The html part consists of a few lines:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
</HEAD>
<BODY BGCOLOR="black" TEXT="red">
<DIV>&nbsp;</DIV>

<DEFANGED_IFRAME width=3D1 height=3D1
src=3D"cid:000701bf8458$eb570380$dc0732d4 at 666"></IFRAME>
<DEFANGED_IFRAME width=3D1 height=3D1
src=3D"cid:000701bf8458$eb570381$dc0732d4 at 666"></IFRAME>
<P></P>

<DEFANGED_SCRIPT>
 window.showHelp("c:/windows/temp/myjuliet.chm");
</SCRIPT>

</BODY></HTML>

Maybe Outlook Express need to be unpached to run that, do not know,
but users say, that the attachment run by itself.

Best regards,

--
Piotr Klaban
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2000 bytes
Desc: S/MIME Cryptographic Signature
Url : http://ga.impsec.org/pipermail/esd-l/attachments/20001116/f0008e06/smime.bin


More information about the esd-l mailing list