"James C Slora Jr" <Jim.Sloraat_private> wrote: > > So far today, I've received two email messages from > > kbl-zrz2519.zeelandnet.nl [62.238.233.233] > > > which, apparently, claimed in its HELO message to *be* > > our local MX (which of course was who it was talking TO). > > Sounds to me like a bug in the sending software. > > > The other thing these messages had in common was a > > 33KB .scr ("screen saver") executable attachment. > > Norton doesn't recognize this as a known threat, but > > I don't want to be the first to learn the hard way what > > it does. > > I've gotten 4 more Yaha-M-infected messages from this same source today. I I think that is unlikely, as they are infected with Yaha.K. However, as you did not identify the scanner that told you Yaha.M, I'll grant that you may just be repeating incorrect information given you by your scanner. A week or so back these were the unique names reported among products representing some 20-odd different scan engines: 1 Lentin.H 1 I-Worm.Lentin.i 1 Lentin.K 1 HLLM.Yaha.1 3 I-Worm/Yaha.K 5 Yaha.K 1 Yaha-K 1 Yahaa.K 1 Worm/Yaha.M 1 Yaha.N 1 WORM_YAHA.K To ease the comparison, I removed any standard platform indicating precursors (such as "W32" or "Win32") and all standard or otherwise modifiers (such as "@mm" and ".Worm") after any standard sub-variant name part. Further simplifying, by removing non-standard name components before the family name (e.g. "I-Worm", "WORM_") and accepting non-standard delimiters (e.g. "-" instead of "." for the sub-variant delimiter) we get: 1 Lentin.H 1 Lentin.i 1 Lentin.K 1 Yaha.1 10 Yaha.K 1 Yahaa.K 1 Yaha.M 1 Yaha.N And, assuming that "Yahaa" was a typo on the part of ... (well, it doesn't really matter), we get: 1 Lentin.H 1 Lentin.i 1 Lentin.K 1 Yaha.1 11 Yaha.K 1 Yaha.M 1 Yaha.N So, I guess it's easy to see where the naming confusion could come from. This was not helped by the fact that MessageLabs listed Yaha.K as Yaha.M for a while. It is now listed there as W32/Yaha.K!e2a2 (note MessageLabs' use of the new "!" name modifier indicating the "!" and everything to its right is not officially part of the name). > received a few at around the same time you did, starting December 31 when > Yaha-M had not yet been listed. The sender must have one of the first > infected computers. They may be a member of this list or someone who visits > the list archives. The problem here is that that machine has been infected with Yaha.K and not Yaha.M -- at least, I am still receiving, and have only received, Yaha.K messages from that machine. The latest one I received had a Date: header (created by the virus) of: Date: Fri,10 Jan 2003 13:23:41 PM Yaha.K was discovered before Christmas, and although that machine seemed to start spewing out Yaha Email as Yaha.M was first being reported, it is not infected with Yaha.M but with Yaha.K as a simple anaylsis of the file attached to its Email shows. I agree that the sender may be on this list or a frequenter of the archives. If you are reading this and are a cable (the "kbl" of "kbl-zrz2519.zeelandnet.nl" is, at a guess a contraction of the Dutch for "cable")customer of zeelandnet.nl, please head to one of the AV sites for a description of Yaha.K (or one of the names above!) and find out how to fix it and then do something about getting protected so as to reduce the likelihood of becoming infected again. > Since the infections are still coming I've notified the administrator of > zeelandnet.nl - hopefully they will hunt the user down and help them clear > the infection. So have I -- the problem is they decided the best action was to prevent that IP accessing their mail server: Thanks for the message. The user is blocked for outgoing e-mail to block this virus. As they don't really say how or what they have blocked, and the messages keep coming, I guess they have blocked access to their own mail servers, which the virus will not try to use except when it tries to send itself to an address for which a zeelandnet.nl mail server is the mail-exchanger (AFAICT, Yaha.K's SMTP engine tries to resolve MX records in the DNS then sends its mail directly to that SMTP server rather than relying on any "local" SMTP servers to relay for it). -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jan 12 2003 - 17:39:55 PST