[Esa-l] New worm?
Brett Glass
brett at lariat.org
Wed Apr 25 11:05:07 PDT 2001
I just received an odd message that emanated from a dial-up
account in Russia. The headers looked like this:
>Return-Path: <>
>Received: from oxen (67.172.10.dn.dialup.cityline.ru [195.46.172.67])
> by lariat.org (8.9.3/8.9.3) with SMTP id LAA02618
> for <brett at lariat.org>; Wed, 25 Apr 2001 11:56:01 -0600 (MDT)
>Date: Wed, 25 Apr 2001 11:56:01 -0600 (MDT)
>Message-Id: <200104251756.LAA02618 at lariat.org>
>MIME-Version: 1.0
>Content-Type: multipart/mixed; boundary="--VEZKPERSD2FGLMFSP"
>X-UIDL: 670d81b905ac1ca35662cbc1f15a3e88
Note that there was no "From:" header -- a sure sign that something
very odd was going on. There was also an attachment with the name
EGFCHDEG.EXE
Anyone know what this is? The MIME boundary fits the pattern for
Hybris, and the string HYBRIS appears early in the binary, so
I'm assuming that this is a Hybris variant. But John's sanitizer didn't
quarantine the message. Fortunately, most of our users aren't foolish
enough to open up an attachment that doesn't even say who it's from....
--Brett
More information about the esd-l
mailing list