Re: Virus? Trojan?

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: Mon Dec 30 2002 - 18:00:15 PST

Next message: Eric Kimminau: "Abnormally high Sub-Seven attack rate increase"

Previous message: tcleary2at_private: "Re: RPAT - Realtime Proxy Abuse Triangulation"
In reply to: David Gillett: "Virus? Trojan?"
Next in thread: Eric Kimminau: "Abnormally high Sub-Seven attack rate increase"
Next in thread: tcleary2at_private: "Re: RPAT - Realtime Proxy Abuse Triangulation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

gillettdavidat_private wrote:

>   So far today, I've received two email messages from
> 
> kbl-zrz2519.zeelandnet.nl [62.238.233.233]
> 
> which, apparently, claimed in its HELO message to *be*
> our local MX (which of course was who it was talking TO).
> Sounds to me like a bug in the sending software.
> 
>   The other thing these messages had in common was a 
> 33KB .scr ("screen saver") executable attachment.
> Norton doesn't recognize this as a known threat, but
> I don't want to be the first to learn the hard way what
> it does.
> 
>   MAYBE this is just ill-conceived and poorly-written 
> spam.  Maybe it's something more serious.  Anybody know
> one way or the other?

One of the new Yaha variants is quite widespread right at the moment. 
Many scanners detect it as Yaha.K but, some suggest it is another 
variant, and I'm fairly sure it is what MessageLabs has listed as 
Yaha.M.

Anyway, we have seen cases of this being missed entirely by "block PE 
executable" type policies at some content filtering gateways because 
of faults in the gateway scanner's assumptions about MIME attachments 
(although these assumptions are based on correct interpretation of 
the relevant RFCs, virus writers and popular Email clients do not pay 
too slavish attention to RFC details...).  I have also heard that 
(some versions of) NAV were missing this variant if updated via the 
auto-update method but then magically detect the virus if a manual 
update was forced.

Anyway, a normal copy of Yaha.K is 34,304 bytes and more of the 
filenames in the list it selects its "infected" Email message's 
attachment name from are .SCR types than any other -- about 3 to 1 -- 
so the odds are high it will come as an SCR attachment.  I'd say the 
odds are good that you have been seeing a Yaha variant and probably 
Yaha.K.  MessageLabs 24 hour reports show Yaha.M currently running 
second to Klez.H and well ahead of the rest of the pack and several 
vendors have raised alerts about the rate at which this is spreading.

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Eric Kimminau: "Abnormally high Sub-Seven attack rate increase"
Previous message: tcleary2at_private: "Re: RPAT - Realtime Proxy Abuse Triangulation"
In reply to: David Gillett: "Virus? Trojan?"
Next in thread: Eric Kimminau: "Abnormally high Sub-Seven attack rate increase"
Next in thread: tcleary2at_private: "Re: RPAT - Realtime Proxy Abuse Triangulation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:52:28 PST