RE: New Virus

  • From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
  • To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Mon, 26 Jan 2004 23:34:42 -0800

Subject filtering is not going to get you very far. While maybe 75% of the
infected viruses have one of 6 subject lines, the other are completely
random. 

 

Here is the advisory from McAfee:

 

W32/Mydoom@MM is a High-Outbreak mass-mailing worm flooding 

email servers worldwide. When run, the worm steals email 

addresses from the infected machine and also automatically 

generates random email addresses for propagation. This email 

generation engine is similar to technologies spammers use to 

generate addresses for spam email campaigns.

 

W32/Mydoom@MM generates emails with a spoofed "From: field", 

so incoming messages may appear to be from people you know. 

Furthermore, the subject line and message body are both 

randomly generated by the worm.

 

------------------------------------------------------------

Caution: An infected email can come from addresses you 

recognize and may contain the following information:

 

From:       randomly generated <spoofed>

Subject:    randomly generated 

Body:       randomly generated  - examples:

                  

- The message cannot be represented in 7-bit ASCII 

  encoding and has been sent as a binary attachment. 

- The message contains Unicode characters and has been sent 

  as a binary attachment. 

- Mail transaction failed. Partial message is available. 

                  

Attachment: randomly generated  

The icon used by the file tries to make it appear as if the 

attachment is a text file.  The attachment type varies 

[.exe, .pif, .cmd, .scr] -- often arrives in a ZIP archive, 

though the attachment size is 22,528 bytes.

 

John Tolmachoff

Engineer/Consultant/Owner

eServices For You

 

-----Original Message-----
From: KEN MORRIS [mailto:KMORRIS@xxxxxxx] 
Sent: Monday, January 26, 2004 7:34 PM
To: [ExchangeList]
Subject: RE: [exchangelist] RE: New Virus

 

Just reading an article about it:

http://hispeed.rogers.com/news/tech/story.jsp?cid=z012615A

Seems the filtering that Chris suggests may be a good thing to do.

-----Original Message----- 
From: Chris Wall [mailto:Chris.Wall@xxxxxxxxxxxxxxxxxxx] 
Sent: Mon 1/26/2004 7:40 PM 
To: [ExchangeList] 
Cc: 
Subject: [exchangelist] RE: New Virus

http://www.MSExchange.org/

Getting hammered with it as well here.  GFI is catching them....  Seems that
most of the e-mails contain 'Hi', 'Hello', 'Test' or 'Error' in the subject
field.  You may want to implement a Subject block on these for a while.  I
have quarantined over 550 in the past 3 hours.  I will pass along any info
when I get it.

Chris

-----Original Message-----
From: Yoon Sang Ahn [mailto:ys_ahn@xxxxxxxxxxx]
Sent: Monday, January 26, 2004 7:31 PM
To: [ExchangeList]
Subject: [exchangelist] RE: New Virus

http://www.MSExchange.org/

Yes got several, it has a readme attachment. With a ZIP and SCR extension.


>From: "Mark Fugatt" <mark@xxxxxxxxx>
>Reply-To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
>To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
>Subject: [exchangelist] RE: New Virus
>Date: Mon, 26 Jan 2004 17:30:58 -0500
>
>http://www.MSExchange.org/
>
>Yep, I am getting hammered with it at the moment :-(
>
>
>Mark Fugatt
>MCSE, MCT, Microsoft Exchange MVP
>Pentech Office Solutions Inc
>Rochester, NY
>Tel: 585 576 4750
>http://www.4mcts.com <http://www.4mcts.com/>
>http://www.exchangetrainer.com <http://www.exchangetrainer.com/>
>
>
>
>   _____
>
>From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
>Sent: Monday, January 26, 2004 5:30 PM
>To: [ExchangeList]
>Subject: [exchangelist] New Virus
>Importance: High
>
>
>http://www.MSExchange.org/
>
>
>There is a new virus spreading rapidly. The AV vendors are working on it.
>
>
>
>This one is going to be bad, as it is using zip attachments as well as pif,
>scr and exe.
>
>
>
>Be prepared.
>
>
>
>John Tolmachoff
>
>Engineer/Consultant/Owner
>
>eServices For You
>
>
>
>------------------------------------------------------
>List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
>Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
>Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
>------------------------------------------------------
>Other Internet Software Marketing Sites:
>Leading Network Software Directory: http://www.serverfiles.com
>No.1 ISA Server Resource Site: http://www.isaserver.org
>Windows Security Resource Site: http://www.windowsecurity.com/
>Network Security Library: http://www.secinf.net/
>Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
>------------------------------------------------------
>
>
>------------------------------------------------------
>List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
>Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
>Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
>------------------------------------------------------
>Other Internet Software Marketing Sites:
>Leading Network Software Directory: http://www.serverfiles.com
>No.1 ISA Server Resource Site: http://www.isaserver.org
>Windows Security Resource Site: http://www.windowsecurity.com/
>Network Security Library: http://www.secinf.net/
>Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
>------------------------------------------------------

_________________________________________________________________
Check out the coupons and bargains on MSN Offers!
http://shopping.msn.com/softcontent/softcontent.aspx?scmId=1418


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------

Other related posts: