[Esa-l]Anyone seen this one before?
faxguy at deanox.com
Fri Jul 20 14:49:04 PDT 2001
I think that this is W32.Sircam virus/worm.
At 02:44 PM 7/20/01 -0700, Simon Matthews wrote:
>I think you need to look at the filename again. Surely it is a DOS batch
>file that is masquerading as an excel spreadsheet?
>At 03:24 PM 7/20/01 -0600, you wrote:
>>The following just came across the tech at openbsd.org list:
>> >From: "Martha Rmos"<mrios at oleoquimica.com>
>> >To: tech at openbsd.org
>> >Subject: Libro1
>> >date: Fri, 20 Jul 2001 15:42:14 -0600
>> >MIME-Version: 1.0
>> >X-Mailer: Microsoft Outlook Express 5.50.4133.2400
>> >Content-Type: text/plain; charset="us-ascii"
>> >Content-Disposition: Multipart message
>> >X-Converted-To-Plain-Text: from multipart/mixed by demime 0.98d
>> >X-Converted-To-Plain-Text: Alternative section used was text/plain
>> >Sender: owner-tech at openbsd.org
>> >Precedence: bulk
>> >X-Loop: tech at openbsd.org
>> >X-UIDL: feb82c7f67a1d23136b2b32d3c4fe1ae
>> >Hi! How are you?
>> >I send you this file in order to have your advice
>> >See you later. Thanks
>> >[demime 0.98d removed an attachment of type application/mixed which had
>> a name of Libro1.xls.bat]
>> >[demime 0.98d removed a section which didn't have a content-type header]
>>Note that, since the list is "de-mimed," I can't see the Trojan
>>itself, but it sure looks like an Excel macro Trojan that utilizes
>>a double-extension exploit.
>>E-mail Security Announce list mailing list
>>E-mail Security Announce list at spconnect.com
>E-mail Security Announce list mailing list
>E-mail Security Announce list at spconnect.com
More information about the esd-l