[Esa-l]Anyone seen this one before?

Christian Parigger cgparigger at mindspring.com
Fri Jul 20 23:20:32 PDT 2001 

Hi everyone,

The SirCam worm appears to be multi-lingual. Below is a copy of a trapped
e-mail, in this case because of the use of double-dot attachments.

Christin Parigger (cparigge at utsi.edu)

> Hola como estas =3F
>
> Te mando este archivo para que me des tu punto de vista
>
> Nos vemos pronto=2C gracias=2E
>

----- Original Message -----
From: "Lee Howard" <faxguy at deanox.com>
To: "Simon Matthews" <simon at paxonet.com>; "Brett Glass" <brett at lariat.org>
Cc: <esa-l at spconnect.com>
Sent: Friday, July 20, 2001 4:49 PM
Subject: Re: [Esa-l]Anyone seen this one before?


| I think that this is W32.Sircam virus/worm.
|
| Lee.
|
| At 02:44 PM 7/20/01 -0700, Simon Matthews wrote:
| >Brett,
| >
| >I think you need to look at the filename again. Surely it is a DOS batch
| >file that is masquerading as an excel spreadsheet?
| >
| >Simon
| >
| >At 03:24 PM 7/20/01 -0600, you wrote:
| >>The following just came across the tech at openbsd.org list:
| >>
| >> >From: "Martha Rmos"<mrios at oleoquimica.com>
| >> >To: tech at openbsd.org
| >> >Subject: Libro1
| >> >date: Fri, 20 Jul 2001 15:42:14 -0600
| >> >MIME-Version: 1.0
| >> >X-Mailer: Microsoft Outlook Express 5.50.4133.2400
| >> >Content-Type: text/plain; charset="us-ascii"
| >> >Content-Disposition: Multipart message
| >> >X-Converted-To-Plain-Text: from multipart/mixed by demime 0.98d
| >> >X-Converted-To-Plain-Text: Alternative section used was text/plain
| >> >Sender: owner-tech at openbsd.org
| >> >Precedence: bulk
| >> >X-Loop: tech at openbsd.org
| >> >X-UIDL: feb82c7f67a1d23136b2b32d3c4fe1ae
| >> >
| >> >Hi! How are you?
| >> >
| >> >I send you this file in order to have your advice
| >> >
| >> >See you later. Thanks
| >> >
| >> >[demime 0.98d removed an attachment of type application/mixed which
had
| >> a name of Libro1.xls.bat]
| >> >
| >> >[demime 0.98d removed a section which didn't have a content-type
header]
| >>
| >>Note that, since the list is "de-mimed," I can't see the Trojan
| >>itself, but it sure looks like an Excel macro Trojan that utilizes
| >>a double-extension exploit.
| >>
| >>--Brett
| >>_______________________________________________
| >>E-mail Security Announce list mailing list
| >>E-mail Security Announce list at spconnect.com
| >>http://www.spconnect.com/mailman/listinfo/esa-l
| >_______________________________________________
| >E-mail Security Announce list mailing list
| >E-mail Security Announce list at spconnect.com
| >http://www.spconnect.com/mailman/listinfo/esa-l
| _______________________________________________
| E-mail Security Announce list mailing list
| E-mail Security Announce list at spconnect.com
| http://www.spconnect.com/mailman/listinfo/esa-l

More information about the esd-l mailing list