"Robert D. Hughes" wrote: > First of all, here's the headers: <<snip>> > Now, they've obviously taken an actual MS bulleting and used the text, right > down including a pgp key and they've incremented it from the previous > bulletin. The first thing I noticed is that the entire message is > double-spaced. Not a lot, but it was different from every other bulletin I've > gotten. The obvious give away is the address they've used to for the fix, as > well specifying a particular file to download. The bulletin page of course is > 404. Apart from the double-spacing and the 404 error on the non-existant security bulletin, this same trick was used a few days (week?) ago to advertise/distribute a (then) new Win32/Leave variant (that worm that spreads via SubSeven machines that the NIPC were so worked up about a couple of weeks back). > The netblock is owned by LYCOS in Europe and points to a tripod page, with an > att.net account used to send the mail, and relevant parties have been cc'ed > as well. And apparently the user name associated with the site is hicagogppr. > > From my limited experience, I can tell very little about the file other than > it appears to connect to a remote web site. This comes from running strings > against the file. It also appears to go after napster and icq accounts, but I > can't tell what else it does. I think the most important thing is that > scanning it with the latest virus signatures from Norton comes up clean, so a > user would not be notified that they are running an infected file. > > If someone with the knowledge and experience will, please do a full analysis > on this and let me know what it is. I'm pretty much a rank newbie at this, as > you can probably tell ;) I searched the bugtraq archives, but didn't find > anything on this, so if its known, I apologize. <<snip>> Sounds like a new Leave variant. Please send a copy to your preferred antivirus vendor. To possibly save you the search time, the sample submission addresses of the better-known developers are: Command Software <virus@commandcom.com> Computer Associates (US) <virus@cai.com> Computer Associates (Vet/IPE) <ipevirus@vet.com.au> DialogueScience (Dr.Web) <Antivir@dials.ru> Eset (NOD32) <trnka@eset.sk> F-Secure Corp. <samples@f-secure.com> Frisk Software <viruslab@complex.is> Kaspersky Labs <newvirus@avp.ru> Network Associates (US) <virus_research@nai.com> Norman (NVC) <analysis@norman.no> Sophos Plc. <support@sophos.com> Symantec <avsubmit@symantec.com> Trend Micro <virus_doctor@trendmicro.com> -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 08:36:00 PDT