[Esa-l] Heads up, new virus...

John D. Hardin jhardin at wolfenet.com
Sat Nov 18 06:43:43 PST 2000


On Thu, 16 Nov 2000, Andre Kajita - Administrador da Rede wrote:

> Our nets were affected by the mail new virus - myromeo/myjuliet.

Everybody: We're professionals. Please include AV Vendor URLs for
verification.

>   4 myromeo.exe    

Would be mangled, but go ahead and add it to your poisoned list.

>   5 myjuliet.chm   

You should already be poisoning *.chm, so this would poison and
quarantine the message by itself.

> The html part consists of a few lines:
> 
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> </HEAD>
> <BODY BGCOLOR="black" TEXT="red">
> <DIV>&nbsp;</DIV>
> 
> <DEFANGED_IFRAME width=3D1 height=3D1
> src=3D"cid:000701bf8458$eb570380$dc0732d4 at 666"></IFRAME>
> <DEFANGED_IFRAME width=3D1 height=3D1
> src=3D"cid:000701bf8458$eb570381$dc0732d4 at 666"></IFRAME>
> <P></P>
> 
> <DEFANGED_SCRIPT>
>  window.showHelp("c:/windows/temp/myjuliet.chm");
> </SCRIPT>
> 
> </BODY></HTML>

...and this gets defanged so that it won't auto-execute.

A standard sanitizer install with the recommended default poison list
will block this, but you probably should go ahead and add MYROMEO.EXE
to your poisoned list just for paranoia's sake.

--
 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
   5 days until Thanksgiving




More information about the esd-l mailing list