New Worm similar to BadTrans.B?

From: Peter Turczak (p_turczakat_private)
Date: Wed Nov 28 2001 - 10:15:24 PST

Next message: zeno: "Re: New Worm similar to BadTrans.B?"

Previous message: Adcock, Matt: "RE: Windows XP - Still has a Windows NT4 DoS hangover?"
Next in thread: zeno: "Re: New Worm similar to BadTrans.B?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) Mailer: SecurityFocus Hi, our company has recieved some e-mails containing the some attachments (all of them as mime-type audio/wav) like: IS_LINUX_GOOD_ENOUGHX.TXT.pif MATRiX_2_is_OUT.SCR But the filesize differs from the BadTrans.B worm which we also recieved. Interesting output of "strings IS_LINUX_GOOD_ENOUGHX.TXT.pif": --------SNIP------------ NII.nai.avp.AVP.F-Sef- semaplpandsophndmiafeeyennlywatbavyman[; wildlist.oil.esafe.cperfectsupcomplex.isHiServ.comh iserv.commetro.ch> beyond.commcafee.compandasoftwearthlink.inexar.comc omkom.co.meditrade.mabex.com> cellco.comsymantec.csuccessfulinforamp.nnewell.coms i ngnet.cobmcd.com.abca.com.nztrendmicrosophos.commap le.com.netsales.nf-secure.cF-Secure.cX . . . Software provide by [MATRiX] VX team: Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos Greetz: All VX guy on #virus channel and Vecna Visit us: www.coderz.net/matrix . . . README.TXT.pif I_wanna_see_YOU.TXT.pif MATRiX_Screen_Saver.SCR LOVE_LETTER_FOR_YOU.TXT.pif NEW_playboy_Screen_saver.SCR BILL_GATES_PIECE.JPG.pif TIAZINHA.JPG.pif FEITICEIRA_NUA.JPG.pif Geocities_Free_sites.TXT.pif NEW_NAPSTER_site.TXT.pif METALLICA_SONG.MP3.pif ANTI_CIH.EXE INTERNET_SECURITY_FORUM.DOC.pif ALANIS_Screen_Saver.SCR READER_DIGEST_LETTER.TXT.pif WIN_$100_NOW.DOC.pif IS_LINUX_GOOD_ENOUGH!.TXT.pif QI_TEST.EXE AVP_Updates.EXE SEICHO-NO-IE.EXE YOU_are_FAT!.TXT.pif FREE_xxx_sites.TXT.pif I_am_sorry.DOC.pif Me_nude.AVI.pif Sorry_about_yesterday.DOC.pif Protect_your_credit.HTML.pif JIMI_HMNDRIX.MP3.pif HANSON.SCR FUCKING_WITH_DOGS.SCR MATRiX_2_is_OUT.SCR zipped_files.EXE BLINK_182.MP3.pif . . . ----------SNAP----------- It seems that the filenames are hardcoded. The most interesting lines are those "AVP.avp." things, which look like hostnames of some anti-virus vendors. Maybe there have already been messages about this worm, if not i could provide the complete message (still transport encoded and the .pif only) for research purposes. Greetings Peter Turczak ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Next message: zeno: "Re: New Worm similar to BadTrans.B?"
Previous message: Adcock, Matt: "RE: Windows XP - Still has a Windows NT4 DoS hangover?"
Next in thread: zeno: "Re: New Worm similar to BadTrans.B?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 10:19:27 PST