[Esa-l] Heads up, new virus...

John D. Hardin jhardin at wolfenet.com
Sat Nov 18 06:43:43 PST 2000

On Thu, 16 Nov 2000, Andre Kajita - Administrador da Rede wrote:

> Our nets were affected by the mail new virus - myromeo/myjuliet.

Everybody: We're professionals. Please include AV Vendor URLs for

>   4 myromeo.exe    

Would be mangled, but go ahead and add it to your poisoned list.

>   5 myjuliet.chm   

You should already be poisoning *.chm, so this would poison and
quarantine the message by itself.

> The html part consists of a few lines:
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> </HEAD>
> <BODY BGCOLOR="black" TEXT="red">
> <DIV>&nbsp;</DIV>
> <DEFANGED_IFRAME width=3D1 height=3D1
> src=3D"cid:000701bf8458$eb570380$dc0732d4 at 666"></IFRAME>
> <DEFANGED_IFRAME width=3D1 height=3D1
> src=3D"cid:000701bf8458$eb570381$dc0732d4 at 666"></IFRAME>
> <P></P>
>  window.showHelp("c:/windows/temp/myjuliet.chm");
> </BODY></HTML>

...and this gets defanged so that it won't auto-execute.

A standard sanitizer install with the recommended default poison list
will block this, but you probably should go ahead and add MYROMEO.EXE
to your poisoned list just for paranoia's sake.

 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
   5 days until Thanksgiving

More information about the esd-l mailing list