Hi Steven, Okay, this is probably the NewApt worm/trojan/virus. Here are some descriptions of it: Trend Micro Description http://www.antivirus.com/vinfo/security/sa121499.htm NAI Avert Description http://vil.nai.com/vil/wm10475.asp Symantec Description http://www.symantec.com/avcenter/venc/data/worm.newapt.html F-Secure Description http://www.europe.f-secure.com/v-descs/newapt.htm The NTBugTraq mailing list had the same problem last week. All it takes is one person on a mailing list to get infected, then it sends itself off to people who have posted messages to the list. For example, I got a WinApt message from Italy that was a reply to a message I posted in August to NTBugTraq. An interesting side note, NewApt contains an IP address for a Microsoft Web server that shows the www.microsoft.com homepage. Not sure what the purpose of this address is in the code. Richard > -----Original Message----- > From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of Steven > Alexander > Sent: Wednesday, December 22, 1999 11:49 AM > To: BUGTRAQat_private > Subject: Warning to Bugtraq posters. > > > After my last post to bugtraq (Re: w00w00....) I received a message > pertaining to be from myself with the same subject line. The messsage > contained an attachment program named goal.exe. It claimed that this > program was from messagemates.com. If the program is run it will give an > error message about an unfound .DLL. It will also create a new > goal.exe in > "C:\WINNT\" and an entry in the registry named "tpawen" with the value > "C:\WINNT\goal.exe /x" under > "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run" > . I don't > know what this program is, I am disassembling it now and will post again > later. The header from the message I received indicates that the mail was > received by my mail server from "stu.chesapeake.net, 205.130.220.9". If > anyone knows anything more please email me. > > -steven alexander >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:23:14 PDT