Hi David, That would be Yaha-K. This new variant is spreading heavily in Holland. Earlier today McAfee opgraded the worm to a medium risk: http://vil.nai.com/vil/content/v_99918.htm There are many subject lines/Message bodies/Attachment names that W32/Yaha.k may use. It's very likely spreading because of problems with the invalid MIME formatting of some of the Yaha.k mails. The worm is known to be able to pass through mailsweeper v4.2x. Kind regards Peter Kruse Securityconsultant http://www.krusesecurity.dk ----- Original Message ----- From: "David Gillett" <gillettdavidat_private> To: "'Incidents List'" <incidentsat_private> Sent: Monday, December 30, 2002 11:03 PM Subject: Virus? Trojan? > So far today, I've received two email messages from > > kbl-zrz2519.zeelandnet.nl [62.238.233.233] > > which, apparently, claimed in its HELO message to *be* > our local MX (which of course was who it was talking TO). > Sounds to me like a bug in the sending software. > > The other thing these messages had in common was a > 33KB .scr ("screen saver") executable attachment. > Norton doesn't recognize this as a known threat, but > I don't want to be the first to learn the hard way what > it does. > > MAYBE this is just ill-conceived and poorly-written > spam. Maybe it's something more serious. Anybody know > one way or the other? > > David Gillett > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 30 2002 - 16:19:52 PST