[Esd-l] Fw: New Virus/Worm email
Jeffrey S. Gavin
jeff at ezclick.net
Tue Sep 18 14:33:01 PDT 2001
I've read that this particular worm (W32.Nimda.A at mm) will try to
download itself when a user visits a compromised web server. More info
can be found at:
http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
Jeff
Bill Larson wrote:
>
> Are the audio attachments munged for executable attachments? If not we need a
> patch ASAP!
>
> ----- Original Message -----
> From: "Jim Seymour"
> Newsgroups: spamcop.geeks
> Sent: Tuesday, September 18, 2001 11:10 AM
> Subject: New Virus/Worm Email
>
> > I just received an interesting email. It made it past my virus filters, but
> a
> > report on the NTBugTraq mailing list is reporting it as some kind of
> unknown
> > worm that attacks IIS machines.
> >
> > The message itself uses an attachment with a content type of audio/x-wav,
> but
> > with a name of "readme.exe". I've got the security settings tightened down,
> but
> > even so, Outlook Express asked me whether I wanted to open the embedded
> > attachment.
> >
> > Here is the email that I received (without the encoded attachment, of
> course).
> > Note the long Subject line and the HTML iframe that refers to local
> content.
> > Keep you eye on this one...
> >
> > --
> > Jim Seymour
> >
> > -----------------------------------------------------------------------
> >
> > Received: from TGLNT (mail.tricongroup.com [206.206.91.131]) by
> mail.cipher.com
> > with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
> > id SVNKL1PC; Tue, 18 Sep 2001 08:15:28 -0700
> > From: <3dzvi51gehej at 4ax.com>
> > Subject:
> >
> Xtoprecvranalyzerdiskstrreadmec2supprttablecoltoprecvraps32analyzerdefaultuse
> rgr
> > pcinforccidbutilappevent
> > MIME-Version: 1.0
> > Content-Type: multipart/related;
> > type="multipart/alternative";
> > boundary="====_ABC1234567890DEF_===="
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > X-Unsent: 1
> >
> > --====_ABC1234567890DEF_====
> > Content-Type: multipart/alternative;
> > boundary="====_ABC0987654321DEF_===="
> >
> > --====_ABC0987654321DEF_====
> > Content-Type: text/html;
> > charset="iso-8859-1"
> > Content-Transfer-Encoding: quoted-printable
> >
> >
> > <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
> > <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
> > </iframe></BODY></HTML>
> > --====_ABC0987654321DEF_====--
> >
> > --====_ABC1234567890DEF_====
> > Content-Type: audio/x-wav;
> > name="readme.exe"
> > Content-Transfer-Encoding: base64
> > Content-ID: <EA4DMGBP9p>
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l
More information about the esd-l
mailing list