The traffic you are seeing is the W95.MTX virus.
It's been out since August of last year. I don't know why the sudden increase
in traffic.
Aron
From Symantec.com:
Also Known As: W95.Oisdbo, W95.MTX.dr, W95.MTX (.dll), W32/Apology-B
Technical description:
Worm component
The worm component makes a copy of Wsock32.dll and names it Wsock32.mtx. The
Send export function of this .mtx file is then modified to point to its own
code. This allows the virus to mail a copy of the worm infected with this
virus to the same person to whom the user sends an email message (using the
same program).
Here is a list of file names that this virus might use when it sends the
infected worm to other people. For those files with .pif extensions, the
.pif extension might not be visible in your mail program.
I_wanna_see_you.txt.pif
Matrix_screen_saver.scr
Love_letter_for_you.txt.pif
New_playboy_screen_saver.scr
Bill_gates_piece.jpg.pif
Tiazinha.jpg.pif
Feiticeira_nua.jpg.pif
Geocities_free_sites.txt.pif
New_napster_site.txt.pif
Metallica_song.mp3.pif
Anti_cih.exe
Internet_security_forum.doc.pif
Alanis_screen_saver.scr
Reader_digest_letter.txt.pif
Win_$100_now.doc.pif
Is_linux_good_enough!.txt.pif
Qi_test.exe
Avp_updates.exe
Seicho_no_ie.exe
You_are_fat!.txt.pif
Free_xxx_sites.txt.pif
I_am_sorry.doc.pif
Me_nude.avi.pif
Sorry_about_yesterday.doc.pif
Protect_your_credit.html.pif
Jimi_hendrix.mp3.pif
Hanson.scr
F___ing_with_dogs.scr
Matrix_2_is_out.scr
Zipped_files.exe
Blink_182.mp3.pif
zeno <bugtraqat_private> on 11/28/2001 08:30:51 AM
To: p_turczakat_private (Peter Turczak)
cc: incidentsat_private (bcc: Aron Croft/ASC/US/AON)
Subject: Re: New Worm similar to BadTrans.B? [Virus Checked]
I've been getting .pif ,exe .mp3 and ,scr also. Maybe 15 today alone.
All with same mime type you describe.
- zenoat_private
>
> Mailer: SecurityFocus
>
> Hi,
>
> our company has recieved some e-mails containing
> the some attachments (all of them as mime-type
> audio/wav) like:
> IS_LINUX_GOOD_ENOUGHX.TXT.pif
> MATRiX_2_is_OUT.SCR
>
> But the filesize differs from the BadTrans.B worm
> which we also recieved. Interesting output of
> "strings IS_LINUX_GOOD_ENOUGHX.TXT.pif":
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 10:38:57 PST