David Gillett wrote Monday, December 30, 2002 5:03 PM > So far today, I've received two email messages from > kbl-zrz2519.zeelandnet.nl [62.238.233.233] > which, apparently, claimed in its HELO message to *be* > our local MX (which of course was who it was talking TO). > Sounds to me like a bug in the sending software. > The other thing these messages had in common was a > 33KB .scr ("screen saver") executable attachment. > Norton doesn't recognize this as a known threat, but > I don't want to be the first to learn the hard way what > it does. I've gotten 4 more Yaha-M-infected messages from this same source today. I received a few at around the same time you did, starting December 31 when Yaha-M had not yet been listed. The sender must have one of the first infected computers. They may be a member of this list or someone who visits the list archives. Since the infections are still coming I've notified the administrator of zeelandnet.nl - hopefully they will hunt the user down and help them clear the infection. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jan 12 2003 - 12:42:43 PST