RE: klez variant??

From: James C Slora Jr (Jim.Sloraat_private)
Date: Fri Jan 31 2003 - 13:10:20 PST

Next message: Kee Hinckley: "ZOMBIES_HTTP_GET"

Previous message: Nicholas Weaver: "The Spread of the Sapphire/Slammer Worm"
In reply to: Peter Snell: "klez variant??"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Maybe Sadhound

http://www.sarc.com/avcenter/venc/data/backdoor.sadhound.html
http://www.messagelabs.com/viruseye/report.asp?id=130
(read both - they have very different perspectives on this malware)

This had a big outbreak stopped in the Netherlands a few days ago, but it is
reportedly still being sent around. It is supposedly not a worm, but is sent
manually - the intruder sends it in the guise of spam.

Senders of the trojan are using triple extensions, which bypass many file
extension filters and Outlook internal protection features. Sadhound was not
picked up by Symantec until today so it could easily have bypassed your AV
protection. I have not checked other vendors for the status of their
protection.

Just a guess. HTH.

- Jim


-----Original Message-----
From: Peter Snell [mailto:PSnellat_private]
Sent: Thursday, January 30, 2003 13:11
To: Incidentsat_private
Subject: klez variant??


Over the past 2 days, we have been seeing a resurgence of Klez type
activity.  However, this appears to be getting past our a/v software.  The
symptoms we see are:

- spoofed email address
- unusual subject
- no body
- attachments with .scr, .bat, .exe, .jpg extensions (there may be others,
but this is what we've examined so far)
- when the email is opened, even in preview pane, it launches Media Player
but is unable to find the specified file.

Has anyone else seen this type of activity lately, or have any thoughts on
this?

Thanks,

Peter


Peter Snell, MCP
LAN Admin
Daymon Associates
* (210) 299-8164
* psnellat_private




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Kee Hinckley: "ZOMBIES_HTTP_GET"
Previous message: Nicholas Weaver: "The Spread of the Sapphire/Slammer Worm"
In reply to: Peter Snell: "klez variant??"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Feb 02 2003 - 08:38:31 PST