[Esa-l] New worm?
brett at lariat.org
Wed Apr 25 11:05:07 PDT 2001
I just received an odd message that emanated from a dial-up
account in Russia. The headers looked like this:
>Received: from oxen (67.172.10.dn.dialup.cityline.ru [220.127.116.11])
> by lariat.org (8.9.3/8.9.3) with SMTP id LAA02618
> for <brett at lariat.org>; Wed, 25 Apr 2001 11:56:01 -0600 (MDT)
>Date: Wed, 25 Apr 2001 11:56:01 -0600 (MDT)
>Message-Id: <200104251756.LAA02618 at lariat.org>
>Content-Type: multipart/mixed; boundary="--VEZKPERSD2FGLMFSP"
Note that there was no "From:" header -- a sure sign that something
very odd was going on. There was also an attachment with the name
Anyone know what this is? The MIME boundary fits the pattern for
Hybris, and the string HYBRIS appears early in the binary, so
I'm assuming that this is a Hybris variant. But John's sanitizer didn't
quarantine the message. Fortunately, most of our users aren't foolish
enough to open up an attachment that doesn't even say who it's from....
More information about the esd-l