David Gillett wrote Monday, December 30, 2002 5:03 PM
> So far today, I've received two email messages from
> kbl-zrz2519.zeelandnet.nl [62.238.233.233]
> which, apparently, claimed in its HELO message to *be*
> our local MX (which of course was who it was talking TO).
> Sounds to me like a bug in the sending software.
> The other thing these messages had in common was a
> 33KB .scr ("screen saver") executable attachment.
> Norton doesn't recognize this as a known threat, but
> I don't want to be the first to learn the hard way what
> it does.
I've gotten 4 more Yaha-M-infected messages from this same source today. I
received a few at around the same time you did, starting December 31 when
Yaha-M had not yet been listed. The sender must have one of the first
infected computers. They may be a member of this list or someone who visits
the list archives.
Since the infections are still coming I've notified the administrator of
zeelandnet.nl - hopefully they will hunt the user down and help them clear
the infection.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jan 12 2003 - 12:42:43 PST