On Wed, 2004-01-28 at 14:41, Kuo, Jimmy wrote:
> This element as the body of the virus' message is a distinguishing element:
>
> >sendmail daemon reported:
> >Error #804 occured during SMTP session. Partial message has been >received.
>
I have only seen a couple of these so far.
It throws in a bunch of random crap as the message.
For example:
>
> ------=_NextPart_000_0011_0D57216B.5E6EE3D1
> Content-Type: text/plain;
> charset="Windows-1252"
> Content-Transfer-Encoding: 7bit
>
>
#I}:ђ)Rc`Z6TMK<A|c8&8~<w-ՂInGxPQOOg5/T`˯0(̮`n
> d" O~ouƩ۲
> Z*V(H[XFwvN՜HEtW$9.e'nN!&y
> B|ǿi!o:Jg\hU9KF;)!mizE?P§
> ҝh{W%B
> .#"?X_dZn9-q
> Y?ARW2t?-"0-X#u^z$sX>'>
> `ю:!h4sY^unhӃ]dЪ$kǾg-ZEe҇SmZՅ#sM
> k%͡
> cY!f\qp
AhPvyt(W-ݑ}-铎-YC]Va{BVƤlt$Y"IvswIno}))j(twV%([0b
> )dY6r2Č5ƓIf3,`RS#l_$\u)4BUGlM:p;<
> FjZ)Wf8J14Pl#`h2VF]
> C#7St
> ];Tߖd^ѭ[$kPt<
> ǒҙR
> ~y0JCq)T\udn
>
> \QT.#OscX<8
> Rr5,"1֘-,9'6V\%_z22v?E-$_:0Ay
> vY
> M.% ,%ur
> JeATpG
>
]ߩ%ODLtA_LβṒ<f]#,˖tIVԞ7A_;8{gkj$F42We
> vW_^5"e>
!nYkr/\X̳hq,cݘ'DZ쯘A\|%iJ>/wImLdCtEg`-(}cn/N_'ZP
>
<{Kٴaºd *{<f7JۜɨF}UJm㎫#.Bϑ͆XtLbIQHմׁegڥByy9:/PxfV1e*,U.!Տ
>
d%x㘃&H5{wݻ#-)xZqfUb2(Դڍf8YVo%8j,dƫMU\c"$MD-G:aNjSy6b"I?upQ\9j5:B/#2zmɑfČ])n|hR5ئEXE^srǞiN>c5i28
> $Pu7^kI $"<rUrūF
> yM[dkVZy̧$Nx*FrEWAKL
> U]^
>
[)AwVUob|vڮGs0t?jܧX\H1MZd6`X({FkmJe4Kn23|TIm<U>Lk{YYڽ/W*tw}RCW9Dӈlه|Ʃ?$Tz8Yl.t ǴoP*K;M98xYѾ廻VA{"Ӻy~pɥ9oP\F]/X<'EF,ԃy7`YuYv
>
hZȟ^VG϶:hюn1ԬCڢѱAaUwLu8]L}soar$:bw'R(>~.2}ё|xL
> KխDGXᕨDgf>e"/6v0PNwcIT2G 0y
> t*~iseBFuս~zKK8K
>
>
> Jimmy
>
> -----Original Message-----
> From: Seth Arnold
> To: ''''Crime List' ' ' '
> Sent: 1/28/04 12:58 PM
> Subject: Re: CRIME RE: New one, .B, was: New virus alert: Mydoom!!!
>
> On Wed, Jan 28, 2004 at 12:18:28PM -0800, Kuo, Jimmy wrote:
> > So, if you actually see the .B variant, I would love to know (and send
> > me a sample for confirmation, please).
> > http://vil.nai.com/vil/content/v_100988.htm
>
> The variations listed on this page are:
> # contains its own SMTP engine to construct outgoing messages
> # contains a peer to peer propagation routine
> # contains a Denial of Service payload
> # overwrites the local hosts file on the victim machine
> # contains a backdoor component
>
> Is there anything externally visible to us non-windows-users to help
> determine .B from .A? (Or would it be easier to just send you the 108
> virii i've accumulated recently, and let your engine sort them out?)
>
> Thanks
--
"Push that big, big granite sphere way up there from way down here!
Gasp and sweat and pant and wheeze! Uh-oh! Feel momentum cease!
Watch it tumble down and then roll the boulder up again!"
- The story of Sisyphus by Dr. Zeus in Frazz 12/18/2003
This archive was generated by hypermail 2b30 : Wed Jan 28 2004 - 19:19:05 PST