RE: CRIME RE: New one, .B, was: New virus alert: Mydoom!!!

From: Alan (alan@private)
Date: Wed Jan 28 2004 - 18:23:17 PST

  • Next message: Andrew Plato: "RE: CRIME Symantec scores a coup for its intrusion prevention tool"

    On Wed, 2004-01-28 at 14:41, Kuo, Jimmy wrote:
    > This element as the body of the virus' message is a distinguishing element:
    > 
    > >sendmail daemon reported:
    > >Error #804 occured during SMTP session. Partial message has been >received.
    > 
    
    I have only seen a couple of these so far.
    
    It throws in a bunch of random crap as the message.
    
    For example:
    
    > 
    > ------=_NextPart_000_0011_0D57216B.5E6EE3D1
    > Content-Type: text/plain;
    >       charset="Windows-1252"
    > Content-Transfer-Encoding: 7bit
    > 
    >
    #I}:ђ)Rc`Z6TMK<A|c8&8~<w-ՂInGxPQOOg5/T`˯0(̮`n
    > d" O~ouƩ۲
    > Z*V(H[XFwvN՜HEtW$9.e'nN!&y
    > B|ǿi!o:Jg\hU9KF;)!mizE?P§
    > ҝh{W%B
    > .#"?X_dZn9-q
    >  Y?ARW2t?-"0-X#u^z$sX>'>
    > `ю:!h4sY^unhӃ]dЪ$kǾg-ZEe҇SmZՅ#sM
    > k%͡
    > cY!f\qp
    AhPvyt(W-ݑ}-铎-YC]Va{BVƤlt$Y"IvswIno‰}))j(twV%([0b
    > )dY6r2Č5ƓIf3,`RS#l_$\u)4BUGlM:p;<
    > FjZ)Wf8J14Pl#`h2VF]
    > C#7St
    > ];Tߖd^ѭ[$kPt<
    > ǒҙR
    > ~y0JCq)T\udn
    > 
    > \QT.#OscX<8
    > Rr5,"1֘-,9'󻤟6V\%_z22v?E-$_:0Ay
    > vY
    > M.% ,%ur
    > JeATpG
    >
    ]ߩ%ODLtA_LβṒ<f]#,˖tIVԞ7A_;8{gkj$F42We
    > vW_^5"e>
    !nYkr/\X̳hq,cݘ'DZ쯘A޲\|%iJ>/wImLdCtEg`-(}cn/N_'ZP
    >
    <{Kٴaºd *{<f7JۜɨF}UJm㎫#.Bϑ͆XtLbIQHմׁegڥByy9:/PxfV1e*,U.!Տ
    >
    d%x㘃&H5{wݻ#-)xZ׸qfUb2(Դڍf8YVo%8j,dƫMU\c"$MD-G:aNjSy6b"I?upQ\9j5:B/#2zmɑfČ])n|hR5ئEXE^srǞiN>c5i28
    > $Pu7^kI $"<֌rUrūF
    > yM[dkVZy̧$Nx*FrEWAKL
    > U]^
    >
    [)AwVUob|vڮGs0t?jܧX\H1MZd6`X({FkmJe4Kn23|TIm<U>Lk{YYڽ/W*tw}RCW9Dӈlه|Ʃ?$Tz8Yl.t ǴoP*K;M98xYѾ廻VA{"Ӻy~pɥ9oP\F]/X<'EF,ԃy7`YuYv
    >
    hZȟ^VG϶:hюn1ԬCڢѱAaUwLu8]L}soar$:bw'R(>~.2}ё|xL 
    > KխDGXᕨDgf>e"/6v0PNwcIT2G 0y
    > t*~iseBFuս~zKK8K
    > 
    
    
    > 
    > Jimmy
    > 
    > -----Original Message-----
    > From: Seth Arnold
    > To: ''''Crime List' ' ' '
    > Sent: 1/28/04 12:58 PM
    > Subject: Re: CRIME RE: New one, .B, was: New virus alert: Mydoom!!!
    > 
    > On Wed, Jan 28, 2004 at 12:18:28PM -0800, Kuo, Jimmy wrote:
    > > So, if you actually see the .B variant, I would love to know (and send
    > > me a sample for confirmation, please).
    > > http://vil.nai.com/vil/content/v_100988.htm
    > 
    > The variations listed on this page are:
    >   # contains its own SMTP engine to construct outgoing messages
    >   # contains a peer to peer propagation routine
    >   # contains a Denial of Service payload
    >   # overwrites the local hosts file on the victim machine
    >   # contains a backdoor component
    > 
    > Is there anything externally visible to us non-windows-users to help
    > determine .B from .A? (Or would it be easier to just send you the 108
    > virii i've accumulated recently, and let your engine sort them out?)
    > 
    > Thanks
    -- 
    "Push that big, big granite sphere way up there from way down here!
    Gasp and sweat and pant and wheeze! Uh-oh! Feel momentum cease!
    Watch it tumble down and then roll the boulder up again!"
        - The story of Sisyphus by Dr. Zeus in Frazz 12/18/2003
    



    This archive was generated by hypermail 2b30 : Wed Jan 28 2004 - 19:19:05 PST